Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-09-24...de.exe

windows7-x64

10

2024-09-24...de.exe

windows10-2004-x64

10

Resubmissions

24/09/2024, 02:38

240924-c4vjeswflc 10

24/09/2024, 01:36

240924-b1m5hawbke 10

Analysis

  • max time kernel
    145s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/09/2024, 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-24_8f07589938ea42db794ebef25c755965_darkside.exe

  • Size

    147KB

  • MD5

    8f07589938ea42db794ebef25c755965

  • SHA1

    aa6f9576dfc56a6fccb37d9e70ed0bb441e084e8

  • SHA256

    8cdabda0c32376426e32048c867b7d66d9df6a3f0da53baef67e1a30abd444b7

  • SHA512

    79e553062ea5e4de34245bc9e8e6a26db2823cd12d51995e401ebfe47ece36a0a7819a2cad79bf14894a1ca30c9a3587a6101b7e8c3ae1432351deebe8fd86e8

  • SSDEEP

    1536:ZzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDYediJW5QdpkLMuAkHiWIlqUyz:iqJogYkcSNm9V7DFEW5QAQrRW2qT

Score
10/10
defense_evasiondiscoveryransomware

Malware Config

Extracted

Path

C:\LOyx4shPX.README.txt

Ransom Note
######################################################################################## YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. YOUR PERSONAL ID: BtVU0r1vpQsdlbLPcJmi8jToR3hqNAaz6fZuMx9gH5kyEOwXYG2KeCFn Contact us, use the email: [email protected] [email protected] IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • Renames multiple (149) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-24_8f07589938ea42db794ebef25c755965_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-24_8f07589938ea42db794ebef25c755965_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:232
    • C:\ProgramData\9454.tmp
      "C:\ProgramData\9454.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9454.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:392
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
    1⤵
      PID:2564
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4804
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{DBD05063-CDF3-44C8-B8C2-9AA2A457BD91}.xps" 133716154152870000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        ba6190a28367c036aa87d9406cb33ce7

        SHA1

        89b72d4732c8e4924615fbb9386c6ff824ca6319

        SHA256

        90498b27cd6c0a37cf59b591a74f892d4cb6dc44a8b02cd5f4ff194badbd8582

        SHA512

        25d373f60e549c00fa66ba27a3b5c13d3775807df92a6a6bae4614426071158dab7556835a6d3419de060e1d3c2b42469285775457d44f73b1239350560f0e04

        Download Submit

      • C:\LOyx4shPX.README.txt
        Filesize

        1KB

        MD5

        88cf2517f115408ab7aed8c749642095

        SHA1

        18d3e6939413777568c48969d034325dac990826

        SHA256

        db34f0ce8a7806f24be30cbb2fbfe4b1d2a54fc0aa15f1a6bb0bb8732222ae77

        SHA512

        027517ca25064985f7f085704e0a77622d86cdc390e386ebfef8f758b6b0bf4f9dad9f088478900a6d399f8bb95d0197949ff62b71f2815cbdecb7909f43aad3

        Download Submit

      • C:\ProgramData\9454.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        147KB

        MD5

        beb04a90c77786bb49e299796882a0f8

        SHA1

        357874420f9766aa0da60b69e473bc0eebacac62

        SHA256

        26a37b3cd888c5d637f8c701be3c94fc7749e87f769b8c2f7ec96a2d17537cc8

        SHA512

        2ba01c3d8d02dc02ca17607f6a5ed10cf8eb48619ce1400fdba2eb6d5a2d90e7fcae2c80108f9eda82fcbcf43892335dbdf4c098781c37aa280340d8715a9d9a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{564D57FE-5700-4E43-BCB8-304D599C65ED}
        Filesize

        4KB

        MD5

        59aebd5b318d78086fb883a6c418189a

        SHA1

        c74a4d31780acefe95efbae4df677ac716e40cb9

        SHA256

        2254f204e7f23a6425160d5b04847625846910a84edd5599fae893123eb508b9

        SHA512

        6057a4140c3b720fa34da6970a04d1b8c28f15276fdd84d6daf59d4dc0f5162b1b74fa95bab3fc63dd4c9f0ebf7da747a1e3fd985353ae3834ee0ece8f70fe56

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        daedef3f9fba945c4959fbd126b80faa

        SHA1

        42c121d50657670257089936db5f9b24407d9355

        SHA256

        a4e451b87cb3baee40db83d6c4105b1bd8985b0fd52468defb3b039e00155dff

        SHA512

        71a12cd74a014941e62c045ddead3b26cac16e9fd674175a8fe59545bde9f1d6e99ccb93a03bc186a1d970cac7290409dd58c5d29ebb5a5cd233a5c2a1d793d2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        620a19effe07d3328cc5452da2fbe35c

        SHA1

        92bffb84d59818d50d44c33dca2c8327357c9793

        SHA256

        31955afe48c75ed2a886d0081e523333db89c87f12810e309e2440779c7a0bef

        SHA512

        436cbce449286ac986d32108836b42c8d4e4e6513453d781900cbf505f410e4a1f06a6c6f70e928e0d08d866b979fb2e8f3082752347697d2b59afdee54ebda8

        Download Submit

      • memory/952-320-0x00007FF925FB0000-0x00007FF925FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/952-318-0x00007FF925FB0000-0x00007FF925FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/952-319-0x00007FF925FB0000-0x00007FF925FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/952-317-0x00007FF925FB0000-0x00007FF925FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/952-316-0x00007FF925FB0000-0x00007FF925FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/952-349-0x00007FF923C00000-0x00007FF923C10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/952-350-0x00007FF923C00000-0x00007FF923C10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-301-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-299-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-300-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-2-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-0-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4416-1-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download