Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 08:35

General

  • Target

    2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe

  • Size

    147KB

  • MD5

    fada690889cb0d344030fdce3ca25758

  • SHA1

    f64fb65e59a2fdba3ce0f9d8c10e670ffa94f56f

  • SHA256

    b838571dbc7905cacd42173f5703f2d6799a35ea6346438ef055476cff7fb3f1

  • SHA512

    a41248233cd1d1ce9cff027256ac4f9be7e77b0f00075ad174345cb8ad5cb62a3afb73550ac6064faa08cd80cae60c5445fbb9386ddec8bc52059a3f1701c753

  • SSDEEP

    3072:O6glyuxE4GsUPnliByocWepE94iiK2uzAERpM:O6gDBGpvEByocWeFlyM

Malware Config

Extracted

Path

C:\cbNhUvy60.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 57EF078892B7D9E27D095B3F2EBFA045 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2025 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Signatures

  • Renames multiple (355) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\ProgramData\9AAA.tmp
      "C:\ProgramData\9AAA.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9AAA.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1912
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini

      Filesize

      129B

      MD5

      60e4dc6b8b960c1dd0404412475d0a1e

      SHA1

      e33a9f258593b51bd1e1ccc7cfd78f2d832bcadf

      SHA256

      b2fd55ebd89d47d5f87e053fd043a0b8e2425d48e0136698c5cbc528420680b3

      SHA512

      ef735d8bdfd43f3670198f70edba7c4fb006fcc1814da65c971da3372aab5770672d2ecd9f00a30822c9030fbad2d2df6fcddb3ba4d0d3da83edfe474f237c5a

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      7bddde424e2c4e89d7c279ca74fcf9e3

      SHA1

      7c8a22ee08f246712be8653a041f87bcf7548b6a

      SHA256

      9e7fafac6f7c6e084bcf66122e77350fb4aee28434db1e62c4bce53ca59a914e

      SHA512

      a14b726418ddd08d0e9429d6ff641816db47b542ed71b03addac795bde292ff1664847d2b99d6e48975bea6198ff959a9701cc7eb567daea4a0af2fdec81da02

    • C:\cbNhUvy60.README.txt

      Filesize

      1KB

      MD5

      c452ac1fa88d14dd391d51bfbcebcace

      SHA1

      ddc29b95c2b820620a780b0282dd59ee82ddbf8f

      SHA256

      955bbe4b16842272db5507f605a7f6b0254635d88b3e25bae9924927669b7fa6

      SHA512

      b13eff76f30f429fb88c7e4f23c8a596f577b9b2814aa2d1372b7ac5b6de5d4b6563ba0975e7dbf39608263c391ca4e3ba9c612a381e78b6d488b8387af8cea1

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      f3f0d216b57a29e00edccc4c148b1e9b

      SHA1

      45f27f20e1d8f03473adf41a05ddba8340278007

      SHA256

      abcbdb2586db063a4dd171ae0e336d182b3b36071643b52961369e966c0a9c85

      SHA512

      8a98c5131998328a4e8ca41babbfa865d40ed0231b0ebde09a537d53484fb3594730921480a389a906d9dd844a38d41f060a71e46c1b08b230e2107775d7821d

    • \ProgramData\9AAA.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/1712-883-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

    • memory/1712-885-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/2308-0-0x0000000000D40000-0x0000000000D80000-memory.dmp

      Filesize

      256KB