Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-08-19...de.exe

windows7-x64

9

2024-08-19...de.exe

windows10-2004-x64

9

Resubmissions

19/08/2024, 02:08

240819-ckmz8ssapl 10

19/08/2024, 01:29

240819-bwmyyazelq 10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-19_f24e4d221c73ebf1c2fb12d15c13fde9_darkside.exe

  • Size

    145KB

  • MD5

    f24e4d221c73ebf1c2fb12d15c13fde9

  • SHA1

    019ef3cbd70a0c4e3ea5c45ec4afdc28a655ed81

  • SHA256

    4f006379bbd3a2b2611346595ce373595031177d7043200591d81150aefc8ee0

  • SHA512

    1508ebf2cba481eda06707d133b994932688d6d3be6c1373e9e88bf8c36a02331df31dc1a575b6e4ed8a160294c88ae8767115af16af94e51b1589bdeedd1629

  • SSDEEP

    3072:H6glyuxE4GsUPnliByocWepMIO/oULmUHI:H6gDBGpvEByocWeGy6

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (332) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-19_f24e4d221c73ebf1c2fb12d15c13fde9_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-19_f24e4d221c73ebf1c2fb12d15c13fde9_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\ProgramData\E91.tmp
      "C:\ProgramData\E91.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E91.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:552
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ConnectSwitch.bmp.N0IKX538u
    1⤵
    • Modifies registry class
    PID:1040
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2452
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\N0IKX538u.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1608
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x148
      1⤵
        PID:2768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\BBBBBBBBBBB
        Filesize

        129B

        MD5

        7281b1b5e16484a749aa7989e2376344

        SHA1

        bec0bd859c2f2e4cb441394f6709991329a640db

        SHA256

        415ac908b7808ff4577b04226c2a43805e0b6d1f6c7b6e805e5e5b7d9d13f821

        SHA512

        d0f79ec68899df293e21e1115fe5bfbdab80d9873388ebdff0d190333581583e63d50e58f2b24562087f40f8a5744e56d43d2e0cd4da641fee9be1e9221290df

        Download Submit

      • C:\N0IKX538u.README.txt
        Filesize

        19B

        MD5

        7edb66f1ed51a03a8b381c2307756c3c

        SHA1

        60fbdfcefe96843c077b66f7df2f89cbb3bd0312

        SHA256

        0fb417b326d101acbdbb29f1a10c8cfea19b6ce313c17f970ecbfd318c5015dd

        SHA512

        f65dc6c8a1494c267b217f562a6c98fa4b8d7ee9a77127d4062a6fba5e26879b9a4adb5649b3777d26f95ba491f29cde343fc4353e9ef6c8648ed51332a87dff

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        145KB

        MD5

        435064cd5ae8c9b1278b36f8f0375050

        SHA1

        bdcdda2cab43e01a7121c0643f70acd464037380

        SHA256

        b5b27557dbd2405ab22d7331217280483bd4380107ac4fcd79c1b4756b24526e

        SHA512

        af7301d2b8a082ffb41bb01c24660f04e5c81d78f6e36a85ae7606a243e3ad8e7d9d7a15f6df4749e5ed13f0ab533f4db9ae267f8e5e6cd137cbf7263532787a

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        a1056cf6612c3fbdd8f29c5c86469fa7

        SHA1

        57ecf0eaec4a3d0cf7c3e962d7fbcd1a842cb9d9

        SHA256

        bdf5ffb57336f01a5604ca188a92f4ab41ada4f50fac3248c4ea416ffa1209c1

        SHA512

        b690c69410b5bcbc87fd7edab77e83f5b842b1edaff2305c92db8f9edb8e1c2fedaaa1e6794ab7262d35aa3fd5574c2f8b8fb2261d4082f93c41a820ba8a0486

        Download Submit

      • \ProgramData\E91.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2924-0-0x0000000000130000-0x0000000000170000-memory.dmp

        Filesize

        256KB

        Download