Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 08:35
Behavioral task
behavioral1
Sample
2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe
-
Size
147KB
-
MD5
fada690889cb0d344030fdce3ca25758
-
SHA1
f64fb65e59a2fdba3ce0f9d8c10e670ffa94f56f
-
SHA256
b838571dbc7905cacd42173f5703f2d6799a35ea6346438ef055476cff7fb3f1
-
SHA512
a41248233cd1d1ce9cff027256ac4f9be7e77b0f00075ad174345cb8ad5cb62a3afb73550ac6064faa08cd80cae60c5445fbb9386ddec8bc52059a3f1701c753
-
SSDEEP
3072:O6glyuxE4GsUPnliByocWepE94iiK2uzAERpM:O6gDBGpvEByocWeFlyM
Malware Config
Extracted
C:\cbNhUvy60.README.txt
Signatures
-
Renames multiple (355) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1712 9AAA.tmp -
Executes dropped EXE 1 IoCs
pid Process 1712 9AAA.tmp -
Loads dropped DLL 1 IoCs
pid Process 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 1712 9AAA.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9AAA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp 1712 9AAA.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeDebugPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: 36 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeImpersonatePrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeIncBasePriorityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeIncreaseQuotaPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: 33 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeManageVolumePrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeProfSingleProcessPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeRestorePrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSystemProfilePrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeTakeOwnershipPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeShutdownPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeDebugPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeBackupPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe Token: SeSecurityPrivilege 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2308 wrote to memory of 1712 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 30 PID 2308 wrote to memory of 1712 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 30 PID 2308 wrote to memory of 1712 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 30 PID 2308 wrote to memory of 1712 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 30 PID 2308 wrote to memory of 1712 2308 2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe 30 PID 1712 wrote to memory of 1912 1712 9AAA.tmp 31 PID 1712 wrote to memory of 1912 1712 9AAA.tmp 31 PID 1712 wrote to memory of 1912 1712 9AAA.tmp 31 PID 1712 wrote to memory of 1912 1712 9AAA.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-03_fada690889cb0d344030fdce3ca25758_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\ProgramData\9AAA.tmp"C:\ProgramData\9AAA.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9AAA.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD560e4dc6b8b960c1dd0404412475d0a1e
SHA1e33a9f258593b51bd1e1ccc7cfd78f2d832bcadf
SHA256b2fd55ebd89d47d5f87e053fd043a0b8e2425d48e0136698c5cbc528420680b3
SHA512ef735d8bdfd43f3670198f70edba7c4fb006fcc1814da65c971da3372aab5770672d2ecd9f00a30822c9030fbad2d2df6fcddb3ba4d0d3da83edfe474f237c5a
-
Filesize
147KB
MD57bddde424e2c4e89d7c279ca74fcf9e3
SHA17c8a22ee08f246712be8653a041f87bcf7548b6a
SHA2569e7fafac6f7c6e084bcf66122e77350fb4aee28434db1e62c4bce53ca59a914e
SHA512a14b726418ddd08d0e9429d6ff641816db47b542ed71b03addac795bde292ff1664847d2b99d6e48975bea6198ff959a9701cc7eb567daea4a0af2fdec81da02
-
Filesize
1KB
MD5c452ac1fa88d14dd391d51bfbcebcace
SHA1ddc29b95c2b820620a780b0282dd59ee82ddbf8f
SHA256955bbe4b16842272db5507f605a7f6b0254635d88b3e25bae9924927669b7fa6
SHA512b13eff76f30f429fb88c7e4f23c8a596f577b9b2814aa2d1372b7ac5b6de5d4b6563ba0975e7dbf39608263c391ca4e3ba9c612a381e78b6d488b8387af8cea1
-
Filesize
129B
MD5f3f0d216b57a29e00edccc4c148b1e9b
SHA145f27f20e1d8f03473adf41a05ddba8340278007
SHA256abcbdb2586db063a4dd171ae0e336d182b3b36071643b52961369e966c0a9c85
SHA5128a98c5131998328a4e8ca41babbfa865d40ed0231b0ebde09a537d53484fb3594730921480a389a906d9dd844a38d41f060a71e46c1b08b230e2107775d7821d
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf