Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 04:04
Behavioral task
behavioral1
Sample
8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe
Resource
win7-20240903-en
General
-
Target
8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe
-
Size
729KB
-
MD5
98f37b55bc2ae96024a8cb8314d6e653
-
SHA1
07ba58f1f7fb475377ea30413831977187ec612e
-
SHA256
8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9
-
SHA512
f6369fb6954ddc0ccf1fad132a011a5d3bce71cc1417d8394618eabdefa0c5e5650100ab74d9c82f761d94c7bb5cdb49436a2c4d5a1e069d6061b47cf7dd5a14
-
SSDEEP
12288:CquErHF6xC9D6DmR1J98w4oknqOOCyQfxXPp6wRr85P3DRZmI9SrIhnqe4DXc8Xj:Hrl6kD68JmlotQf/Rr8AwKDT
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Darkcloud family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hurtling.vbs hurtling.exe -
Executes dropped EXE 1 IoCs
pid Process 5280 hurtling.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1624-17-0x0000000000E40000-0x0000000000FDA000-memory.dmp autoit_exe behavioral2/memory/5280-36-0x0000000000B80000-0x0000000000D1A000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5280 set thread context of 4720 5280 hurtling.exe 90 -
resource yara_rule behavioral2/memory/1624-0-0x0000000000E40000-0x0000000000FDA000-memory.dmp upx behavioral2/files/0x000e000000023ad3-13.dat upx behavioral2/memory/5280-15-0x0000000000B80000-0x0000000000D1A000-memory.dmp upx behavioral2/memory/1624-17-0x0000000000E40000-0x0000000000FDA000-memory.dmp upx behavioral2/memory/5280-36-0x0000000000B80000-0x0000000000D1A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hurtling.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5280 hurtling.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 5280 hurtling.exe 5280 hurtling.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 5280 hurtling.exe 5280 hurtling.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1624 wrote to memory of 5280 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 89 PID 1624 wrote to memory of 5280 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 89 PID 1624 wrote to memory of 5280 1624 8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe 89 PID 5280 wrote to memory of 4720 5280 hurtling.exe 90 PID 5280 wrote to memory of 4720 5280 hurtling.exe 90 PID 5280 wrote to memory of 4720 5280 hurtling.exe 90 PID 5280 wrote to memory of 4720 5280 hurtling.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Countee\hurtling.exe"C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\8fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
729KB
MD598f37b55bc2ae96024a8cb8314d6e653
SHA107ba58f1f7fb475377ea30413831977187ec612e
SHA2568fb6d066b1cfe9e7f97a62410d0c9b3e42bc8980bec7254bb470b2bc01e148d9
SHA512f6369fb6954ddc0ccf1fad132a011a5d3bce71cc1417d8394618eabdefa0c5e5650100ab74d9c82f761d94c7bb5cdb49436a2c4d5a1e069d6061b47cf7dd5a14
-
Filesize
28KB
MD5eab6fde96f9c418abef519035d2af89f
SHA1d66d02553ba27f4afbe1a24068e4ded9f1b318b9
SHA256fd1dcf9fbe49430a242974e7fe8016ad8fcaf7e9f15b60b629ab10722ef9fde4
SHA5126000be1e086003a6f1d193e645b3c8edc4b84e040810129208d98a6e1935d49c3d99dad4eaee498aa11062a796ed8879da848b9db91f01b42b490adf5e4ed231
-
Filesize
444KB
MD591ca7aa3267f4f5b0e6cf4ccb65fa2b2
SHA147671fc3b186314f87ab96abc5b7626885da4c5f
SHA256dbda3fda9e7fdf0eb2f878929f6e750814db10db0196adbda56d51b98e053cb1
SHA512aaa0006ed9dd62e8fa061db325e3f3ddb616f544061e64998a6790c4b4f43d46af5d8fd0d671dbdef65c6eaadc603442fd147e3fd713d1f1207c6c97ada88961