Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
12/03/2025, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20250207-en
General
-
Target
RFQ.exe
-
Size
881KB
-
MD5
768bed9843a8a7c96699b27fc40b8819
-
SHA1
4ae495c3540252bef39276bf6e9fc84435f7b7bb
-
SHA256
aa653ad0d107b2d7ab98d4ede0eef147b73fbd7eb2f522f0bf608f833daebe34
-
SHA512
e23d433ac20532c512d2f2db1badbf4a2e43d2c28ff73553e2de79d82a012dbe1afe81d59bc830f4606ff3b54b08cbbcbd2b6448cdb12a3246ffb4607ac93539
-
SSDEEP
12288:TfNeE6xIVKGJA1R1MbXgf+GH4oGSlhA8b06JJe4Ii3QOeGiTJyxwC1ht2ddT+:wE6xcA1LMbDqXm8b0iJ7r6cxvE
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666
Signatures
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1872 powershell.exe 3016 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2364 set thread context of 2264 2364 RFQ.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2364 RFQ.exe 2364 RFQ.exe 2364 RFQ.exe 2364 RFQ.exe 1872 powershell.exe 3016 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2264 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2364 RFQ.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2264 RFQ.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1872 2364 RFQ.exe 31 PID 2364 wrote to memory of 1872 2364 RFQ.exe 31 PID 2364 wrote to memory of 1872 2364 RFQ.exe 31 PID 2364 wrote to memory of 1872 2364 RFQ.exe 31 PID 2364 wrote to memory of 3016 2364 RFQ.exe 33 PID 2364 wrote to memory of 3016 2364 RFQ.exe 33 PID 2364 wrote to memory of 3016 2364 RFQ.exe 33 PID 2364 wrote to memory of 3016 2364 RFQ.exe 33 PID 2364 wrote to memory of 2888 2364 RFQ.exe 35 PID 2364 wrote to memory of 2888 2364 RFQ.exe 35 PID 2364 wrote to memory of 2888 2364 RFQ.exe 35 PID 2364 wrote to memory of 2888 2364 RFQ.exe 35 PID 2364 wrote to memory of 2856 2364 RFQ.exe 37 PID 2364 wrote to memory of 2856 2364 RFQ.exe 37 PID 2364 wrote to memory of 2856 2364 RFQ.exe 37 PID 2364 wrote to memory of 2856 2364 RFQ.exe 37 PID 2364 wrote to memory of 2824 2364 RFQ.exe 38 PID 2364 wrote to memory of 2824 2364 RFQ.exe 38 PID 2364 wrote to memory of 2824 2364 RFQ.exe 38 PID 2364 wrote to memory of 2824 2364 RFQ.exe 38 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39 PID 2364 wrote to memory of 2264 2364 RFQ.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wOPQRmK.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOPQRmK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE66.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD513e931aa5188fc23a96d511833a7656c
SHA184fbdb00c37d3f917a00d60bdcbc6e8ae73f09bc
SHA256c73cda18ba010a8fdd15aa474df7357da1e090d6a5754395f2c2418758908f71
SHA51202600d13781800f3ee9a62584e5e3556ae58850171213949360da5d9b4d877e8ed31a90c0ac7a303cf563671f1ca6a15ecb265198bddc3447824536a331d3d6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55efb211d2c6750c30d4e015e49cb0e95
SHA180b811c5eb17ba342013f094ad58a0ab2e873781
SHA2563de9f48ebb82e92f6bcdfe468791bda3212b2624ecbe33ab6860e14d1a208b63
SHA512da9d17f14c0394cf4395044c3d7d836e2e8ca24898410fb054362798317739ee4e77968d7e26609a3b1be447dbdddd178a64c47585acbda72b835b001a99e76f