Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20240903-en
General
-
Target
RFQ.exe
-
Size
881KB
-
MD5
768bed9843a8a7c96699b27fc40b8819
-
SHA1
4ae495c3540252bef39276bf6e9fc84435f7b7bb
-
SHA256
aa653ad0d107b2d7ab98d4ede0eef147b73fbd7eb2f522f0bf608f833daebe34
-
SHA512
e23d433ac20532c512d2f2db1badbf4a2e43d2c28ff73553e2de79d82a012dbe1afe81d59bc830f4606ff3b54b08cbbcbd2b6448cdb12a3246ffb4607ac93539
-
SSDEEP
12288:TfNeE6xIVKGJA1R1MbXgf+GH4oGSlhA8b06JJe4Ii3QOeGiTJyxwC1ht2ddT+:wE6xcA1LMbDqXm8b0iJ7r6cxvE
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666
Signatures
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3888 powershell.exe 2952 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation RFQ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3468 set thread context of 4868 3468 RFQ.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2952 powershell.exe 3888 powershell.exe 2952 powershell.exe 3888 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4868 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4868 RFQ.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3468 wrote to memory of 3888 3468 RFQ.exe 89 PID 3468 wrote to memory of 3888 3468 RFQ.exe 89 PID 3468 wrote to memory of 3888 3468 RFQ.exe 89 PID 3468 wrote to memory of 2952 3468 RFQ.exe 91 PID 3468 wrote to memory of 2952 3468 RFQ.exe 91 PID 3468 wrote to memory of 2952 3468 RFQ.exe 91 PID 3468 wrote to memory of 2276 3468 RFQ.exe 92 PID 3468 wrote to memory of 2276 3468 RFQ.exe 92 PID 3468 wrote to memory of 2276 3468 RFQ.exe 92 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95 PID 3468 wrote to memory of 4868 3468 RFQ.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wOPQRmK.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOPQRmK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7C2.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5c6e8da3e6bd7b0b1f7fbd2a843ced234
SHA1323d0f8946320989243af0902c916d8232cd5fac
SHA256921e9ec9afb33708c0a2291ea7da95747638f589a2bf58c58fd67fd879ccf4de
SHA51266ac949a2ac4c6bab15470599d9fb53c761756701042fdb3c0dd0bfe27e4a01684c14a1ea022fc787fb17fc5e1fb5434b972786f8d1c16981ad55991a47a30ca
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD563beeeafab9a8e1fe269494648695250
SHA1e1f49b3f2fa68984c34c76c12669b4c068c3b137
SHA2562ae64e7c0dfe491005023181ddfd767f674e6789fd73e08b8e6b28da66faf146
SHA51283bc0b20e2ddff8e35f6106e71f4313d46abbb5a8da17b3b7b0c68355cde55874967711c5d9b0a5947ee3d7cb1484f950e4be91afceb988d9f652bfb5d11b9ce