Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2025-01-28...de.exe

windows7-x64

9

2025-01-28...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    97s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-28_dbd1e940cb5d2d3ded216a7a55e43d85_darkside.exe

  • Size

    146KB

  • MD5

    dbd1e940cb5d2d3ded216a7a55e43d85

  • SHA1

    833e046616354a1c9d260aec6cd40d8477ab1012

  • SHA256

    e7df8e3297b3daa23d6633c9a87db2f05be14a0e45338bc3ff170f934cec6dd8

  • SHA512

    166d04c074f8ec6241ac04434a8ea473ab855b6aeca3c9b438147451315b582dd2572399c18335e053ebc20e9f65c43f6b6ba3018aa330c6ec334d6b6b0baad6

  • SSDEEP

    1536:ZzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD6mZlyPvJfHTbM8myFolkNstUyz:iqJogYkcSNm9V7D6mZl2vJ/8zlastT

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (618) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-28_dbd1e940cb5d2d3ded216a7a55e43d85_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-28_dbd1e940cb5d2d3ded216a7a55e43d85_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\ProgramData\C63E.tmp
      "C:\ProgramData\C63E.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C63E.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\IIIIIIIIIII
    Filesize

    129B

    MD5

    ab25592de0b57bae823c39d375b5421d

    SHA1

    a2dfb65bbf41c5801af180ad0e318fb4243be8db

    SHA256

    e2dbc23afcf19d5cf6aa9019978acfeb8c094542077f1c055d554b0b6cc1d0f9

    SHA512

    8933f251833f4f71a115af1cc42790f0abfbb28721fe0909e6d074c3e418465ba0f46e591dcd5546adec738a61306afc7dda278d96e297fcb7366d2c8c71a1bc

    Download Submit

  • C:\ProgramData\C63E.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    146KB

    MD5

    b5a2507a6b0e888968c2b730991e2b9a

    SHA1

    ced8842e3c7af6892f4afa6e34aa0fc3be736625

    SHA256

    1df28aefcf737236986edc9fe739fd82d63d46ab72fa3dc0ef844fa5973b1d2d

    SHA512

    88746b6d44f77de72ebcc875fe0fa5f8b500e161b30c2f6b661ea33a95c203dae544f5f2d510148e686c569eb675e1d40ded17fdb6ff85ac7f1d9ee05b308277

    Download Submit

  • C:\V2li97crf.README.txt
    Filesize

    883B

    MD5

    0ccc05c707a4280f18a9cde2190a1f9c

    SHA1

    46b2059e639f751645dad047a8abc09448985371

    SHA256

    434e3d973e9bbf5f8e7e83ecde40426ff6047b1715eadbd62a03c8c97736c323

    SHA512

    e9ba9895ad5fbcd30980d0bfa3e73b49f797f46ab207f25dff543c696dcb027241797b9fbfe092fdab902d7662ee2d0b0a279b2a7feb372727dfc228420576a7

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    27010de6ec7edbeaa5d1c6c3cab4851a

    SHA1

    4e06c5bfc057a28656dc006476ecb8d8e37e3c13

    SHA256

    a703f23a3c3b667275cba0ab292e3bf0e4b8761f7c6ae56c9f79c29bf9bf3f49

    SHA512

    439111c71a12542a79f193205275095e4f8f0714b0ff3fd5ed79412fc5dec0ec2cf0abf859c5b9032e915a9c1b9f67e94b1def6f967f4fd3d5ac9bdbca25d780

    Download Submit

  • memory/2340-2963-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-2956-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-2957-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-0-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-1-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2340-2-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2964-2967-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-2964-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-2965-0x00000000005B0000-0x00000000005C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2964-2966-0x00000000005B0000-0x00000000005C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2964-2968-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-2998-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-2997-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download