Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 14:44
Behavioral task
behavioral1
Sample
2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe
-
Size
160KB
-
MD5
3b7bbcc792998c87d854a9587d066d2e
-
SHA1
0b3e8f3c71d3fbfa02ad9cef1f3cbaa83c8d2621
-
SHA256
130d6de205082cf8be9c58f327f84080af79f2ebf6f50c83e23aa142f2247cd8
-
SHA512
56d74eef6efb89837c048b1aa91358749992c1e41bc82fe646924efb16c7e32a1d4eeaeeb7d82a0a49314a4f3c47b909e7b1271acb40d1ae8d1c1755c8929ee7
-
SSDEEP
3072:TDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368enHx6A2eyKQnWwAYEW:95d/zugZqll30Hw3eyZWwAY
Malware Config
Signatures
-
Renames multiple (180) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2704 9F5B.tmp -
Executes dropped EXE 1 IoCs
pid Process 2704 9F5B.tmp -
Loads dropped DLL 1 IoCs
pid Process 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\PTfidxFX1.bmp" 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\PTfidxFX1.bmp" 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9F5B.tmp -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "10" 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PTfidxFX1\DefaultIcon 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PTfidxFX1 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PTfidxFX1\DefaultIcon\ = "C:\\ProgramData\\PTfidxFX1.ico" 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.PTfidxFX1 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.PTfidxFX1\ = "PTfidxFX1" 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp 2704 9F5B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeDebugPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: 36 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeImpersonatePrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeIncBasePriorityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeIncreaseQuotaPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: 33 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeManageVolumePrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeProfSingleProcessPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeRestorePrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSystemProfilePrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeTakeOwnershipPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeShutdownPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeDebugPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 836 vssvc.exe Token: SeRestorePrivilege 836 vssvc.exe Token: SeAuditPrivilege 836 vssvc.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeSecurityPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe Token: SeBackupPrivilege 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2704 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 34 PID 2108 wrote to memory of 2704 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 34 PID 2108 wrote to memory of 2704 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 34 PID 2108 wrote to memory of 2704 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 34 PID 2108 wrote to memory of 2704 2108 2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe 34 PID 2704 wrote to memory of 1784 2704 9F5B.tmp 38 PID 2704 wrote to memory of 1784 2704 9F5B.tmp 38 PID 2704 wrote to memory of 1784 2704 9F5B.tmp 38 PID 2704 wrote to memory of 1784 2704 9F5B.tmp 38 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-23_3b7bbcc792998c87d854a9587d066d2e_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\ProgramData\9F5B.tmp"C:\ProgramData\9F5B.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9F5B.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50a5b6641bf9695e9b733b4c013eb10da
SHA17116a9a10ab5a52a087f975265fb80598c262f5d
SHA256d398cb5efd4700ab22b75044460f88462a9a3023fac0d290bb422929bf066c22
SHA5120713bbca20a374ac0bc9cac10abdc4cfe1d86070341f882059885b1178fcd2af4267ef1d503c2f66c844607d0e776f538b42e10161642c5ab9112873e1405727
-
Filesize
160KB
MD570ce82870e343e58c63a074e970349d1
SHA1cf6120c09a900c9d4e1c53608a12f828a84669e0
SHA256e8eb20155a6cfbd0dcd56f53d7a4849368ed8d1800e48b77d28067db842199b8
SHA5124ff60b278d7a4edefd9520005c8980bdeb8c1447dff88e776d31656693f28be6933e814c6d3e9e5dd3198969568c6827b72730ac7d1c2c570d83346b05891adb
-
Filesize
6KB
MD540321c683bdaba8745345c3794057f37
SHA1431135ac3ba047680023ca36d7400b204d9eeff7
SHA256e673f59405b6b0506c24da9a5b522a14cd5827cf22c5ce593aaef28cb8e2e068
SHA5127fd5971d68f9cd74240d5cb756acb9888a57d1da7a179bb45802b07acbb56b578b126ccb2f6dd9eb52e8568ae002b22b826941b772897844a9f133603bda9cbd
-
Filesize
129B
MD51a5f5f2a7f37ab24ad4e74cb64f00a02
SHA17ef729932d250e234f423ba922755385744b6cfa
SHA256a32e42e5edcd8435ab299e787bda636baf951a9c6d0d4bd3abbe075b690aef2b
SHA5129e47dbf6e5a322c538504f5260973122aed5b6567656b0d66a0b8f381c34b732b995ee9e4552814e07507e596c5e078b32bbeb18b886512ce0c4db357584c1e7
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf