Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

3

Ransomware...KB.exe

windows7-x64

7

Ransomware...KB.exe

windows10-2004-x64

3

Ransomware...KB.exe

windows10-ltsc_2021-x64

3

Ransomware...KB.exe

windows11-21h2-x64

3

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RS.7z

  • Size

    20.5MB

  • Sample

    250325-r7ve6a1nv3

  • MD5

    2e40472330409ed96f91e8e0bb796eb4

  • SHA1

    8fd90404184de1a627068a93482313449dbbec91

  • SHA256

    c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

  • SHA512

    b11720cb8519fc6838161ba8bf696681b242b0789ffd5c442efbb50161d511fd65229ca88a347c856e8ff91501c077f5de7714b09e29d4400f595bfe7829189d

  • SSDEEP

    393216:NkDF1XseDcJIrXeSG0b5mKZ1F0gvpdO8GPnqzHLP3iN5M0CptgNpAcklC0CN:GDjXseDcSra45mKt0gvT0PnMbzkNpAc/

Score
10/10
blackmattercontidarksidedearcrymedusalockermespinozasodinokibi$2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq$2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm512478c08dada2af19e49808fbda5b0b71787258credential_accesscryptonediscoveryexecutionpackerpersistencepyinstallerransomwarespywarestealerupx

Malware Config

Extracted

Family

blackmatter

Version

1.2

Botnet

512478c08dada2af19e49808fbda5b0b

Credentials
C2

https://paymenthacks.com

http://paymenthacks.com

https://mojobiden.com

http://mojobiden.com
Attributes
  • attempt_auth

    true

  • create_mutex

    true

  • encrypt_network_shares

    true

  • exfiltrate

    true

  • mount_volumes

    true

rsa_pubkey.base64
aes.base64

Extracted

Family

mespinoza

Attributes
  • ransomnote

    Hi Company, Every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data back contact us: [email protected] [email protected] [email protected] Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet. Check out our website, we just posted there new updates for our partners: http://wqmfzni2nvbbpk25.onion/ -------------- FAQ: 1. Q: How can I make sure you don't fooling me? A: You can send us 2 files(max 2mb). 2. Q: What to do to get all data back? A: Don't restart the computer, don't move files and write us. 3. Q: What to tell my boss? A: Protect Your System Amigo.

Extracted

Family

sodinokibi

Botnet

$2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

Campaign

7258

Decoy

gasbarre.com

all-turtles.com

rksbusiness.com

christ-michael.net

mardenherefordshire-pc.gov.uk

erstatningsadvokaterne.dk

marchand-sloboda.com

unim.su

bauertree.com

faronics.com

moveonnews.com

autopfand24.de

mountsoul.de

beaconhealthsystem.org

cerebralforce.net

aprepol.com

kaotikkustomz.com

dubnew.com

simulatebrain.com

alvinschwartz.wordpress.com
Attributes
  • net

    true

  • pid

    $2a$10$kmb3nsvQXC.93GYNCGKy/uq9hYHivf0e3HcajFIifr8Hf3fmnofgm

  • prc

    outlook

    agntsvc

    infopath

    sqbcoreservice

    steam

    firefox

    ocomm

    ocssd

    mydesktopqos

    oracle

    powerpnt

    wordpad

    synctime

    sql

    thebat

    onenote

    excel

    visio

    encsvc

    winword

    mydesktopservice

    dbsnmp

    isqlplussvc

    tbirdconfig

    mspub

    msaccess

    thunderbird

    ocautoupds

    xfssvccon

    dbeng50

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Data leak [+] First of all we have uploaded more then 70 GB archived data from your file server and SQL server Example of data: - Accounting - Finance - Personal Data - Banking data - Confidential files And more other... Our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/ Read what happens to those who do not pay. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7258

  • svc

    svc$

    vss

    sophos

    mepocs

    backup

    sql

    memtas

    veeam

Extracted

Family

sodinokibi

Botnet

$2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

Campaign

7178

Decoy

kamahouse.net

bridgeloanslenders.com

abitur-undwieweiter.de

live-your-life.jp

xn--rumung-bua.online

anteniti.com

marcuswhitten.site

ostheimer.at

joseconstela.com

deepsouthclothingcompany.com

dr-seleznev.com

ecpmedia.vn

aunexis.ch

anthonystreetrimming.com

pocket-opera.de

mooreslawngarden.com

osterberg.fi

extraordinaryoutdoors.com

kamienny-dywan24.pl

fitovitaforum.com
Attributes
  • net

    false

  • pid

    $2a$10$dfjpLrXuDytfF.kmYtQ1ROgsXjTJEe8EmQT65ftxlTpJtXPZrhsAq

  • prc

    avgadmsv

    BackupUpdater

    ocautoupds

    synctime

    thebat

    excel

    isqlplussvc

    ccSetMgr

    SPBBCSvc

    Sage.NA.AT_AU.SysTray

    lmibackupvssservice

    CarboniteUI

    powerpnt

    BackupMaint

    onenote

    klnagent

    sql

    Rtvscan

    xfssvccon

    Smc

    mspub

    encsvc

    LogmeInBackupService

    kavfsscs

    ccSvcHst

    BackupExtender

    NSCTOP

    outlook

    dbsnmp

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7178

  • svc

    ssistelemetry

    adsync

    svc$

    msseces

    mbamservice

    ssastelemetry

    altaro

    sbamsvc

    ds_notifier

    ntrtscan

    ofcservice

    code42service

    macmnsvc

    memtas

    auservice

    telemetryserver

    tmccsf

    psqlwge

    sppsvc

    viprepplsvc

    azurea

    ds_monitor

    swi_filter

    protectedstorage

    mfemms

    mfevtp

    kaseyaagentendpoint

    ltservice

    dssvc

    altiback

Extracted

Path

C:\Program Files\R3ADM3.txt

Family

conti

Ransom Note
All of your files are currently encrypted by CONTI ransomware. If you try to use any additional recovery software - the files might be damaged or lost. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can contact us for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion HTTPS VERSION : https://contirecovery.info YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded your data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us ASAP. ---BEGIN ID--- V8gTskvaU8gGgzzk0qC2sM90noCXm1AgvCkADBk9JhxwjahEd2MSBLQ5sgBZOEkq ---END ID---
URLs

http://m232fdxbfmbrcehbrj5iayknxnggf6niqfj6x4iedrgtab4qupzjlaid.onion

https://contirecovery.info

Extracted

Path

C:\Recovery\WindowsRE\README.ca14edc8.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Extracted

Path

C:\Users\Admin\README.285a2a32.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Extracted

Path

C:\Recovery\README.bcdb72c5.TXT

Family

darkside

Ransom Note
----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Family

dearcry

Ransom Note
Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Targets

    • Target

      RansomwareSamples/Conti_22_12_2020_186KB.exe

    • Size

      185KB

    • MD5

      7076f9674bc42536d1e0e2ca80d1e4f6

    • SHA1

      854485ee63e5a399fffe150f04cd038d6a5490ef

    • SHA256

      ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124

    • SHA512

      71c507108cc0c8b5609076672bd0b64a42c015995fe7220aa97e273c1754e63271edb06b284f4fc01b71a4751c1bcac0f572339e94ff0fd538dc0250caa9181a

    • SSDEEP

      3072:+qS7gtGIeq8KxrvRp1MImcZeuLaxugfCJsOlq8WkJK0BOog/Tt3onM9kHpOBae4f:zS7gtyuzFxm16axugfqlMw5g5BkOdSlr

    Score
    10/10
    conticredential_accessdiscoveryransomwarespywarestealer

    • Conti Ransomware

      Ransomware generally thought to be a successor to Ryuk.

      ransomwareconti

    • Conti family

      conti

    • Renames multiple (8662) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2behavioral3behavioral4behavioral5

    • Target

      RansomwareSamples/Cuba_08_03_2021_1130KB.exe

    • Size

      1.1MB

    • MD5

      a12e733ddbe6f404b27474fa0e5de61d

    • SHA1

      e8d0c95621a19131ef9480e58a8d6dd3d15c9acd

    • SHA256

      271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad

    • SHA512

      f27605a283e958690eb7ad50aa46110b6d155217ad09d658ad3f9c4368d4c66ab623a0cc3489d695a02db462fec3bcf8ebee13f9da1bd61e2e3db46de2d73ddf

    • SSDEEP

      12288:xtwee4XgIijsCMtcTCWVRapiyC9vwic8CPK3EOnA+u+:8efgIiICMtIChp8N2K3EOAK

    Score
    7/10
    discovery

    • Deletes itself

    behavioral10behavioral6behavioral7behavioral8behavioral9

    • Target

      RansomwareSamples/DarkSide_01_05_2021_30KB.exe

    • Size

      30KB

    • MD5

      f00aded4c16c0e8c3b5adfc23d19c609

    • SHA1

      86ca4973a98072c32db97c9433c16d405e4154ac

    • SHA256

      4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a

    • SHA512

      a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf

    • SSDEEP

      768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE

    Score
    10/10
    darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Darkside family

      darkside

    • Renames multiple (161) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Sets desktop wallpaper using registry

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12behavioral13behavioral14behavioral15

    • Target

      RansomwareSamples/DarkSide_16_01_2021_59KB.exe

    • Size

      59KB

    • MD5

      0ed51a595631e9b4d60896ab5573332f

    • SHA1

      7ae73b5e1622049380c9b615ce3b7f636665584b

    • SHA256

      243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

    • SHA512

      9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

    • SSDEEP

      768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58

    Score
    10/10
    darksidecredential_accessdiscoveryexecutionransomwarespywarestealer

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Darkside family

      darkside

    • Renames multiple (198) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Sets desktop wallpaper using registry

      ransomware
    behavioral16behavioral17behavioral18behavioral19behavioral20

    • Target

      RansomwareSamples/DarkSide_18_11_2020_17KB.exe

    • Size

      17KB

    • MD5

      f87a2e1c3d148a67eaeb696b1ab69133

    • SHA1

      d1dfe82775c1d698dd7861d6dfa1352a74551d35

    • SHA256

      9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

    • SHA512

      e361811b07a66d9a784be37bdace0bdec9e11374083d7ccf7d9830e47a59afa8b9d12d80d4d47ea1932116354ad60bbc8ea6a6a265885d264b35486986415ea3

    • SSDEEP

      384:SGyUrEk/yEoQE+yckIYN/pBa3AWK3T2oTboHblKR/:l4klFypIYFpB/x9ngb

    Score
    10/10
    darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Darkside family

      darkside

    • Renames multiple (169) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral21behavioral22behavioral23behavioral24behavioral25

    • Target

      RansomwareSamples/DearCry_13_03_2021_1292KB.exe

    • Size

      1.3MB

    • MD5

      0e55ead3b8fd305d9a54f78c7b56741a

    • SHA1

      f7b084e581a8dcea450c2652f8058d93797413c3

    • SHA256

      2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

    • SHA512

      5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa

    • SSDEEP

      24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

    Score
    10/10
    dearcrydiscoverypersistenceransomwarespywarestealer

    • DearCry

      DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.

      ransomwaredearcry

    • Dearcry family

      dearcry

    • Renames multiple (7441) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral26behavioral27behavioral28behavioral29behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks

static1

pyinstaller512478c08dada2af19e49808fbda5b0bupxcryptonepacker$2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm7258$2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq7178blackmattermedusalockermespinozasodinokibi
Score
10/10

behavioral1

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral2

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral3

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral4

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral5

conticredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
7/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral12

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral13

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral14

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral15

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral16

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral17

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral18

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral19

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral20

darksidecredential_accessdiscoveryexecutionransomwarespywarestealer
Score
10/10

behavioral21

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral22

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral23

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral24

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral25

darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx
Score
10/10

behavioral26

dearcrydiscoverypersistenceransomwarespywarestealer
Score
10/10

behavioral27

dearcrydiscoveryransomwarespywarestealer
Score
10/10

behavioral28

dearcrydiscoverypersistenceransomwarespywarestealer
Score
10/10

behavioral29

dearcrydiscoverypersistenceransomwarespywarestealer
Score
10/10

behavioral30

dearcrydiscoverypersistenceransomwarespywarestealer
Score
10/10