Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 11:30
Behavioral task
behavioral1
Sample
2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
-
Size
148KB
-
MD5
475f6e42f0cb53fc60fa80022826489f
-
SHA1
b1dc8069d4d667af8cc8cbff950dc7a67a129cc8
-
SHA256
5fee867e93f672a561fedf8bb2d8525ab4a9146a51f922c88d34eb5c2d60561d
-
SHA512
04663b3c60b26fcde8e1b30c061242ec0356b467d62b17128a4c72608e71425f43f540a41a60ba5c88b8a50f3a78bb5fcdddeea68589ac83806b24e22ecd9335
-
SSDEEP
3072:pqJogYkcSNm9V7DHjsdAzWxxLaMdg9nW2T:pq2kc4m9tDDsdAzWCMdY
Malware Config
Extracted
C:\utZMwPnzM.README.txt
Signatures
-
Renames multiple (327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1816 B00D.tmp -
Executes dropped EXE 1 IoCs
pid Process 1816 B00D.tmp -
Loads dropped DLL 1 IoCs
pid Process 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\utZMwPnzM.bmp" 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\utZMwPnzM.bmp" 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1816 B00D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language B00D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "10" 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp 1816 B00D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeDebugPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: 36 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeImpersonatePrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeIncBasePriorityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeIncreaseQuotaPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: 33 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeManageVolumePrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeProfSingleProcessPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeRestorePrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSystemProfilePrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeTakeOwnershipPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeShutdownPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeDebugPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeBackupPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe Token: SeSecurityPrivilege 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1316 wrote to memory of 1816 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 30 PID 1316 wrote to memory of 1816 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 30 PID 1316 wrote to memory of 1816 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 30 PID 1316 wrote to memory of 1816 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 30 PID 1316 wrote to memory of 1816 1316 2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe 30 PID 1816 wrote to memory of 1240 1816 B00D.tmp 31 PID 1816 wrote to memory of 1240 1816 B00D.tmp 31 PID 1816 wrote to memory of 1240 1816 B00D.tmp 31 PID 1816 wrote to memory of 1240 1816 B00D.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\ProgramData\B00D.tmp"C:\ProgramData\B00D.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B00D.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1240
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c2ca9bbc0d7c71e4289bb80fb27bbaf1
SHA13439b3469c4d5e03bc9525c97a59ad0af8b53886
SHA2564e8a1e588ff5f5843bd0a51b2b5b660fa412e586de94cb9d85fd139ba8905b54
SHA5125afb6d88b5267f071b5c55d1dac59ee8baa16d292fd7c90f8c29cd0d922ec2794e3c031265408b48e646830bd40ae88c0c220f4bc8938cc79406bc1de551cff7
-
Filesize
148KB
MD5974f2b5598c074df607beb8379333e22
SHA1e4c5bd6fdcea5e18c3c7c26fc093eb5c7d17472f
SHA256cb15707d7174dd419c5c687c4630eae6227bc0115703db97978b528ccec25089
SHA512bdfcf80c673e788e7c667d461b59bddb067b8f4d31f375d1e9db079037561fc3becb64ebf34dbdb811ef84b6d96c512ff9eb99e35bf57bd160f75287a13a2868
-
Filesize
2KB
MD5d9e1661bc09300cad8aa8d795b9ce0b3
SHA11676ba84687a2d7b27f73f3a37500317ba0d30a4
SHA256e2fa3f74d96324cd7dd0d611843e8102e897a8d65beac9d9491e8c42a7ada8bd
SHA5129fdaa9b0f68c19eba772fcb5b2ceaf371a0b78435a296765c3dbcdc5890218523d5844708473a685cf12ec559163fc3c87928b12e46bfda92faf2c5fc2d57f7f
-
Filesize
129B
MD5cdee457c4b19661384d7de14abaab0b6
SHA1eaf9e0527aa6794c0b7c8150ef7ab6cf74943b86
SHA256a1a80cb235b95da0e1b7a29c98e953d0c9d59fe6c3feaef82d077b1ebc06d16c
SHA5128d646e7473394c5629a6ea9d996c43f5c9571edab7ea980376375992ec625426f371f72ce95a1e750c3fa58b831c66c0353ef20cafff08457d06a2a7329fbade
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf