Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

26/01/2025, 14:44

250126-r4ce6svqhj 10

23/01/2025, 19:41

250123-yed12aslgn 10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 14:44

General

  • Target

    2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe

  • Size

    160KB

  • MD5

    3b7bbcc792998c87d854a9587d066d2e

  • SHA1

    0b3e8f3c71d3fbfa02ad9cef1f3cbaa83c8d2621

  • SHA256

    130d6de205082cf8be9c58f327f84080af79f2ebf6f50c83e23aa142f2247cd8

  • SHA512

    56d74eef6efb89837c048b1aa91358749992c1e41bc82fe646924efb16c7e32a1d4eeaeeb7d82a0a49314a4f3c47b909e7b1271acb40d1ae8d1c1755c8929ee7

  • SSDEEP

    3072:TDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368enHx6A2eyKQnWwAYEW:95d/zugZqll30Hw3eyZWwAY

Malware Config

Signatures

  • Renames multiple (180) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\ProgramData\9F5B.tmp
      "C:\ProgramData\9F5B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9F5B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:836
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

      Filesize

      129B

      MD5

      0a5b6641bf9695e9b733b4c013eb10da

      SHA1

      7116a9a10ab5a52a087f975265fb80598c262f5d

      SHA256

      d398cb5efd4700ab22b75044460f88462a9a3023fac0d290bb422929bf066c22

      SHA512

      0713bbca20a374ac0bc9cac10abdc4cfe1d86070341f882059885b1178fcd2af4267ef1d503c2f66c844607d0e776f538b42e10161642c5ab9112873e1405727

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      160KB

      MD5

      70ce82870e343e58c63a074e970349d1

      SHA1

      cf6120c09a900c9d4e1c53608a12f828a84669e0

      SHA256

      e8eb20155a6cfbd0dcd56f53d7a4849368ed8d1800e48b77d28067db842199b8

      SHA512

      4ff60b278d7a4edefd9520005c8980bdeb8c1447dff88e776d31656693f28be6933e814c6d3e9e5dd3198969568c6827b72730ac7d1c2c570d83346b05891adb

    • C:\Users\PTfidxFX1.README.txt

      Filesize

      6KB

      MD5

      40321c683bdaba8745345c3794057f37

      SHA1

      431135ac3ba047680023ca36d7400b204d9eeff7

      SHA256

      e673f59405b6b0506c24da9a5b522a14cd5827cf22c5ce593aaef28cb8e2e068

      SHA512

      7fd5971d68f9cd74240d5cb756acb9888a57d1da7a179bb45802b07acbb56b578b126ccb2f6dd9eb52e8568ae002b22b826941b772897844a9f133603bda9cbd

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      1a5f5f2a7f37ab24ad4e74cb64f00a02

      SHA1

      7ef729932d250e234f423ba922755385744b6cfa

      SHA256

      a32e42e5edcd8435ab299e787bda636baf951a9c6d0d4bd3abbe075b690aef2b

      SHA512

      9e47dbf6e5a322c538504f5260973122aed5b6567656b0d66a0b8f381c34b732b995ee9e4552814e07507e596c5e078b32bbeb18b886512ce0c4db357584c1e7

    • \ProgramData\9F5B.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/2108-0-0x0000000000DD0000-0x0000000000E10000-memory.dmp

      Filesize

      256KB

    • memory/2704-310-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/2704-312-0x0000000002300000-0x0000000002340000-memory.dmp

      Filesize

      256KB

    • memory/2704-314-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/2704-313-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/2704-346-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/2704-345-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB