Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2025-02-03_fada690889cb0d344030fdce3ca25758_darkside

  • Size

    147KB

  • Sample

    250203-kg362sxrfl

  • MD5

    fada690889cb0d344030fdce3ca25758

  • SHA1

    f64fb65e59a2fdba3ce0f9d8c10e670ffa94f56f

  • SHA256

    b838571dbc7905cacd42173f5703f2d6799a35ea6346438ef055476cff7fb3f1

  • SHA512

    a41248233cd1d1ce9cff027256ac4f9be7e77b0f00075ad174345cb8ad5cb62a3afb73550ac6064faa08cd80cae60c5445fbb9386ddec8bc52059a3f1701c753

  • SSDEEP

    3072:O6glyuxE4GsUPnliByocWepE94iiK2uzAERpM:O6gDBGpvEByocWeFlyM

Malware Config

Extracted

Path

C:\cbNhUvy60.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 57EF078892B7D9E27D095B3F2EBFA045 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2025 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Extracted

Path

C:\cbNhUvy60.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 57EF078892B7D9E26C0C583CD9C72D6C Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2025 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Targets

    • Target

      2025-02-03_fada690889cb0d344030fdce3ca25758_darkside

    • Size

      147KB

    • MD5

      fada690889cb0d344030fdce3ca25758

    • SHA1

      f64fb65e59a2fdba3ce0f9d8c10e670ffa94f56f

    • SHA256

      b838571dbc7905cacd42173f5703f2d6799a35ea6346438ef055476cff7fb3f1

    • SHA512

      a41248233cd1d1ce9cff027256ac4f9be7e77b0f00075ad174345cb8ad5cb62a3afb73550ac6064faa08cd80cae60c5445fbb9386ddec8bc52059a3f1701c753

    • SSDEEP

      3072:O6glyuxE4GsUPnliByocWepE94iiK2uzAERpM:O6gDBGpvEByocWeFlyM

    • Renames multiple (355) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks