Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-08-01...de.exe

windows7-x64

10

2024-08-01...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/08/2024, 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-01_632207284b8cf84f06a93b82d4d553b2_darkside.exe

  • Size

    155KB

  • MD5

    632207284b8cf84f06a93b82d4d553b2

  • SHA1

    a873523884cea9e5148f9d26a4c66c34641b53fd

  • SHA256

    b0d1198b2021752acb56ec59912b67e48a61e9d5f2337ec889ae6a6b3cac5bdd

  • SHA512

    d4bbd18d467fbc270a0707018f04dbbab518a6c7e31780a1c9ecc4f9562667948b355dc46a6e075cda474ee3e62a3b222adc21567e68a94cdfe5100cd3b074fc

  • SSDEEP

    3072:UqJogYkcSNm9V7Dgji53yFLCJKw8zh1rZbT:Uq2kc4m9tDg+oFoKwU1l

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\NjuwGaZ6g.README.txt

Ransom Note
>>>> Your data are stolen and encrypted If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe. >>>> You pay the fee, we will provide you with decryption services to help you fix the vulnerability >>>> You can send three files via email for decryption test, limit 3M. >>>> what is usdt? https://tether.to/ >>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will provide you with decryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more money. Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you. Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future. >>>> You need to contact our email: [email protected] [email protected] [email protected] You need to let all the above emails receive your email,lease note your ID in the email content. Write to us, we will always answer you. Sometimes you will need to wait for our response as we provide decryption services to many companies. You need to contact all our emails: [email protected], please note your ID in the email content. You need to contact all our emails: [email protected], please note your ID in the email content. You need to contact all our emails: [email protected], please note your ID in the email content. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>> Your personal DECRYPTION ID: 913D59053C9E918BE56C7CFE9A794C62 <<<< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>> Warning! We will delete your key within 72 hours and re-encrypt the entire system. >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you don't pay the ransom, we will attack your company multiple times again! Or a data leak! >>>> If your encrypted server does not have important files and does not require decryption services, you can also seek cooperation. We will escort you. You only need to pay a small fee and we can provide your company with a full set of security assessment services. >>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They won't help and will only make things worse for you. In 3 years not a single member of our group has been caught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit you from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt your files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and are not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone on the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR and other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee donuts and get fatter and fatter. The police and the FBI don't care what losses you suffer as a result of our attack, and we will help you get rid of all your problems for a modest sum of money. Along with this you should know that it is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can be done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk, so the police will not do anything to you if someone pays the ransom for you. If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for leaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees. >>>> What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. >>>> Don't go to recovery companies, they are essentially just middlemen who will make money off you and cheat you. We are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in fact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you approached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.
URLs

https://tether.to/

Signatures

  • Renames multiple (576) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-01_632207284b8cf84f06a93b82d4d553b2_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-01_632207284b8cf84f06a93b82d4d553b2_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1312
    • C:\ProgramData\E7D1.tmp
      "C:\ProgramData\E7D1.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E7D1.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3512
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5076
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0C8713FF-8838-4799-BA72-2AED144BC10A}.xps" 133669474307830000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:1376

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-113082768-653872390-2867000172-1000\YYYYYYYYYYY
      Filesize

      129B

      MD5

      537e1d60ff0debeea4fa9aad1b1752ca

      SHA1

      6f9765b848079568ffbc1d15100e242df331f880

      SHA256

      e6dd84d0a86adfefb7d68c2ae1356e4fbf655c02d93a3f3cfb5aa7c2904fc8cc

      SHA512

      7dad97a990252483ed4633e4ab8737b1be3b8ac5330778543374464349549f62a8296bdaa066511a71d2bfa4e83fec9e412ea91e7237ba5f43010b1ad7c3ee70

      Download Submit

    • C:\NjuwGaZ6g.README.txt
      Filesize

      7KB

      MD5

      b43780714f2fc4b23bc9064e69b70401

      SHA1

      17156bce7d801cdba97d8023a72ea3a20c6d9cd9

      SHA256

      15d3871ac9734ce8b670e24769b5e32ad742ec170c0bef21817f8ebf5632f2ee

      SHA512

      d123ba7d7017bc7812e7860fe3099ac9ebab0ec9fb00592963d4eb1bf8ce8df016d03e58e61740b4c95e38a3022bc694c9cd1851e835c01bc5737d7a445eb6f2

      Download Submit

    • C:\ProgramData\E7D1.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
      Filesize

      155KB

      MD5

      22b76594fa5d4af06b09c3cae494e6a4

      SHA1

      458d3d549f97a1f7e7e9963bdb9215623448381b

      SHA256

      c2732c1000751924a0aa15703d9d3ca5b599d02e99713d5c9d4051e91f1d229b

      SHA512

      1b60e839ff1c4e418820f25dde982d28e6a5e5998b13841b197b179de957dc63b8ef10fa3275109d6dfd8628285b3f621b7d4a027c650bf8702af7268ab59484

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{CB629F94-4005-46A1-81B2-809102DE9A86}
      Filesize

      4KB

      MD5

      d765995968b165e278cc9153b58530d9

      SHA1

      f7a2807f4e5140450db3b6f2373eeb85f3e37d5b

      SHA256

      c1bc26a6443da8155df4ec3354b6d5e4e77f1a53efb169b9278fa93e1eb31559

      SHA512

      bfe983a15762991b1251fd8ae9956f1e5da04936f4779f273c648285cad3f5239340c34ec3284559f1d1358872a9cabe6e2f763f8f546e062ac33a5852391d18

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      42b50697dac0a631c752da76b1cd64fa

      SHA1

      be98ab10ead8ee459d1fef0dd7b515f13105abbd

      SHA256

      f3e23dbce145377f7bed024b0013c3bbd564f197bec415b4569990d115de3d74

      SHA512

      f6d8088d5646d0a2111fdfd9c88bfd6360092acb2a36986af38a2747026e3a3f02597dd7f6644220541f42e1f5e67a8bbd511236d99b6cfca9685b06510a9340

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-113082768-653872390-2867000172-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      d5b3c2e56e4eccc79d75928acde73d24

      SHA1

      9c3667f3fb269a036ce9168dfc0444c1dd868952

      SHA256

      48dd19c5b62b2e42b0db94dcb7929a179cdb57e0b00a419c48bf2bda15099ac3

      SHA512

      1f6ec854949dab999ac4e09c80934e44f5a87c465723c46647e16270bd0f0e39229c22a7898b13a44178b70b07f2717ed9ecd2dec930b1dfae6031533802f5df

      Download Submit

    • memory/1376-2649-0x00007FF89C150000-0x00007FF89C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1376-2648-0x00007FF89C150000-0x00007FF89C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1376-2650-0x00007FF89C150000-0x00007FF89C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1376-2651-0x00007FF89C150000-0x00007FF89C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1376-2647-0x00007FF89C150000-0x00007FF89C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1376-2680-0x00007FF899F40000-0x00007FF899F50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1376-2681-0x00007FF899F40000-0x00007FF899F50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3564-0-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3564-1-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3564-2-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download