darkside | 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673

General

Target

f587adbd_by_Libranalysis.dll
Size

54KB
MD5

f587adbd83ff3f4d2985453cd45c7ab1
SHA1

2715340f82426f840cf7e460f53a36fc3aad52aa
SHA256

156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
SHA512

37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\\README.70d4d153.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V When you open our website, put the following data in the input form: Key: lmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dBugzgWIBf009Hkb5C7IdIYdEb5wH80HMVhurYzet587o6GinzDBOip4Bz7JIznXkqxIEHUN77hsUM8pMyH8twWettemxqB3PIOMvr7Aog9AIl1QhCYXC1HX97G5tp7OTlUfQOwtZZt5gvtMkOJ9UwgXZrRSDRc8pcCgmFZhGsCalBmIC08HCA40P7r5pcEn2PdBA6tt5oHma19OMBra3NwlkZVUVfIql643VPuvDLNiDtdR1EZhP1vb2t2HsKlGOffG7ql9Y2JWcu2uwjqwVdSzQtlXWM6mEy3xdm3lcJnztQ5Nh7jJ7bYgAb1hODbN9UektcOzYC0e0ZqjPVLY3opxNvYgCk8Bz9clmNXqsvMjBQXJQVb8o0IPMcDjYyhJuG0EevGlAWVq8WGS7JraW22zvlz8SQ4HdgUEJR0VbrsitXqIbIF9S2XGZmtxEsRStAey !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

12 3808 rundll32.exe
14 3808 rundll32.exe
16 3808 rundll32.exe
18 3808 rundll32.exe
22 3808 rundll32.exe
23 3808 rundll32.exe

flow	pid	process
12	3808	rundll32.exe
14	3808	rundll32.exe
16	3808	rundll32.exe
18	3808	rundll32.exe
22	3808	rundll32.exe
23	3808	rundll32.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResolveRegister.tif.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\SplitRedo.png.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\StopEdit.raw.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\BlockConvert.png.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\CopyReset.raw.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\JoinOut.tif.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteDisconnect.tiff.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\MergeUnregister.tiff.70d4d153	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\RestartEdit.raw.70d4d153	rundll32.exe

Drops startup file 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.70d4d153.TXT	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.70d4d153.TXT	rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

rundll32.exerundll32.exe

description ioc process

File opened (read-only) \??\Z: rundll32.exe
File opened (read-only) \??\Z: rundll32.exe

description	ioc	process
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe

Drops file in System32 directory 15 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAB7F775BADE1EC8628B8D8B4C22C44D	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAB7F775BADE1EC8628B8D8B4C22C44D	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\70d4d153.BMP"	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10"	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 14296429b6f894f3db919955ed86fbe2aa1d9b68a4ad0458a3c145afe7bea950	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 89e78f54d3aad250e4623b409d8609f13bf9ac892dfbadcd7eda17f462161fc6	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 02983fecea7c8590aed1f5057a7a6b5c62c0b8f185dade257f808e871d91913a	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = db8281d5db692cc86fc16cc369967436a8d98e87f21ca4dc9945948bf146dc83	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\70d4d153.BMP"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 938523bbcf6254232df9163f1a12bc0de06e5aece29cbfea5fe7b18edf19d71d	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5b5da3156909079237ea73fd96da71718cfd473f39fa3a9591a7c25ef94317d6	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 00a6042495ba9e7ecab6c4f1c6abfbdd038e5372b86fb741a53b44ef63958e51	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 568a0908b1e7db1d9b0a7e162f076270f1acda2a953d20a03f5b079a90554890	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d325531b29b94ad7e04011bc4d08113fb1f7469750dc5d7f3fbbaf298f4786da	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fad6af837d928164df0afef964bcb4960253fc644b7ba5f82ea0acf227915b87	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 7f3eb749bdd67d941313dbf95713df978f069cac06dc0acf57ff2e412d3cf8d6	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = aa625599859042b6624c663496f8f3d0131062ce0efa494d122f0cfcd51d3ff1	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 258785ea67ee1a5714b2d936c1d7a8c632c66b507706024319c748e273114da7	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6d3be45b4942cddbb6f9818ed87c71d6a5a0810ecbde1dfa77e32280bfe7dd8e	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fcca23bcc137dc2c10cab54cac1685727b32cc2d9f685deec82a79e8c46bf38a	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ea91d780dd6b9a5f8dc2d89f1f8d0b92b65f5a715a69b70822c74baa26171239	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f31f3e70c7f5e34f73c04a5f93a0b8e9b13de5444f7d4434bd00ce8b1e1d9ebc	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 8548e19d46e9b9786935db3fb7d745d442a7b99a4d4d7f7f02a60d76d259e61d	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c4034b4a8da502223f329576d71e4f3173ed8191407bf5b01858434b3d3ffdb0	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 35da522d55130b98ef1f4da8f9233d869bfc3d2769e8b1aa7500e1c2720c5042	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 75e90292a91238c67582592ef11c656c5a3a345678de3b0fd6f0d8c728fc6f17	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8dbab3f59ae5cc590968be02f82380579c4a3d6aadd255c1dd362218b833579a	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c00540069006c00650044006100740061004c0061007900650072005c00440061007400610062006100730065005c004500440042002e006c006f00670000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b521fff3dfd037974260c06ea08179b3eb0852ced1a88c44bfd76955b1110dfd	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c00540065006d0070006f007200610072007900200049006e007400650072006e00650074002000460069006c00650073005c0063006f0075006e00740065007200730032002e0064006100740000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = efcfad3d033c9af400a7cf40e3f68d416f816d8ac6f1cb5d124d239324982543	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ef2495e1447e15dc671387180e29e3bdd0d33428425c57e6357043ee771d47c0	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = de75e6492f01f16f72ecd5c015d4a995d1d48cd26965b9663a29d248cb4b2d1e	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d53dec042fa35bc9e9bf32e46535872eb0a0a791db6dd46a4b49e1a30cfa9dd9	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5af0f5e4f207d475f783629813ceadbd85d5fa2defea1f41dd98cae96fe403a0	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 2a06f1adc7c3a60494aad97d6737042609eca99361f6e4f9c684af43d312ad72	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 21b1e7ac172e5a9076817449f3dd3f4336cf126db97fabc9b6dea311fa9b1a1d	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 549ac155b2ffc5c529ede8414ded0da3e925b97dad659d4aeb0701695c6e26c5	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 22bcd5ffe5e2d3a27e5804d22b37c827a52776a57712946fd6c75ab75f0cb837	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8b2e4aed6d195e4c0deead601e652779bd58c9b586d55ab63323958df68af7e6	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = bdd4a6b421d0c338ca91990a4f01a1ffc1bc7cf473098446d4eb0f7bb102baea	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ac13141bfe5223a0b6271497bd61a3abc7a2b623a1b94e7663d6ee660a1a6a35	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7fc18ed230ca906b1383d9d9d22662c681e32234966408869e5da8ddf16311c0	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	rundll32.exe

Modifies registry class 26 IoCs

Processes:

SearchUI.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon\ = "C:\\ProgramData\\70d4d153.ico"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153\ = "70d4d153"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerundll32.exe

pid	process
3808	rundll32.exe
3808	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe
940	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 512 vssvc.exe
Token: SeRestorePrivilege 512 vssvc.exe
Token: SeAuditPrivilege 512 vssvc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchUI.exeShellExperienceHost.exe

pid process

2172 SearchUI.exe
3204 ShellExperienceHost.exe
3204 ShellExperienceHost.exe

description	pid	process
Token: SeBackupPrivilege	512	vssvc.exe
Token: SeRestorePrivilege	512	vssvc.exe
Token: SeAuditPrivilege	512	vssvc.exe

pid	process
2172	SearchUI.exe
3204	ShellExperienceHost.exe
3204	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 860 wrote to memory of 1588	860	rundll32.exe	rundll32.exe
PID 860 wrote to memory of 1588	860	rundll32.exe	rundll32.exe
PID 860 wrote to memory of 1588	860	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 3620	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 3620	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 3620	1900	rundll32.exe	rundll32.exe
PID 3620 wrote to memory of 3808	3620	rundll32.exe	rundll32.exe
PID 3620 wrote to memory of 3808	3620	rundll32.exe	rundll32.exe
PID 3620 wrote to memory of 3808	3620	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 940	3808	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 940	3808	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 940	3808	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 788	3808	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 788	3808	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 788	3808	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#1
2⤵
PID:1588

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#1
3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#3 worker0 job0-3808
4⤵
- Modifies extensions of user files
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f587adbd_by_Libranalysis.dll,#3 worker1 job1-3808
4⤵
- Enumerates connected drives
PID:788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-119-0x000001DAA9200000-0x000001DAA9210000-memory.dmp

Filesize
64KB

Download
memory/184-120-0x000001DAA9250000-0x000001DAA9260000-memory.dmp

Filesize
64KB

Download
memory/184-121-0x000001DAA9520000-0x000001DAA9521000-memory.dmp

Filesize
4KB

Download
memory/788-118-0x0000000000000000-mapping.dmp

Download
memory/940-117-0x0000000000000000-mapping.dmp

Download
memory/1588-114-0x0000000000000000-mapping.dmp

Download
memory/3620-115-0x0000000000000000-mapping.dmp

Download
memory/3808-116-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads