Analysis
-
max time kernel
61s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 10:53
Static task
static1
Behavioral task
behavioral1
Sample
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
Resource
win10v20210410
General
-
Target
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
-
Size
54KB
-
MD5
0390938e8a9df14af45e264a128a5bf8
-
SHA1
f90f83c3dbcbe9b5437316a67a8abe6a101ef4c3
-
SHA256
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210
-
SHA512
c4b8d0d086a7f3c9aa83e2ad5baa36027cd8785878913b7dc0ad698066aaa0f298dec59cb6fb42cf76530c8be9b242bdacfb1253eb02a6ad84a872df4c586e98
Malware Config
Extracted
C:\\README.aeef1a75.TXT
darkside
https://ibb.co/VVs2pWQ
https://ibb.co/6mTC5z5
https://ibb.co/fkrPPvX
https://ibb.co/rHpTh5S
https://ibb.co/4KV5bZY
https://ibb.co/njzryN8
https://ibb.co/qRS30cL
https://ibb.co/1bwGGHH
https://ibb.co/dKbwVVY
https://ibb.co/8Nj4QQs
https://ibb.co/Csfhmq0
https://ibb.co/tbN2pXn
https://ibb.co/6ghqgbN
https://ibb.co/TgHvsjc
https://ibb.co/rQjXnyp
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/2E84SN8WJ11IAIH947RGEYOYSO4S8DE3I3J16I5AXKUV2X4FZZN93AZ3D87T2E2O
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResolveHide.tiff a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\ResolveHide.tiff.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\StartUninstall.tif => C:\Users\Admin\Pictures\StartUninstall.tif.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\StartUninstall.tif.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\TraceExport.tif => C:\Users\Admin\Pictures\TraceExport.tif.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\UpdateComplete.png.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\WaitBackup.tif => C:\Users\Admin\Pictures\WaitBackup.tif.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\ResolveHide.tiff => C:\Users\Admin\Pictures\ResolveHide.tiff.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\TraceExport.tif.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\UpdateComplete.png => C:\Users\Admin\Pictures\UpdateComplete.png.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\WaitBackup.tif.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exea11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process File opened (read-only) \??\Z: a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened (read-only) \??\Z: a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Drops file in System32 directory 15 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAB7F775BADE1EC8628B8D8B4C22C44D a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAB7F775BADE1EC8628B8D8B4C22C44D a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\aeef1a75.BMP" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Modifies Control Panel 2 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Modifies data under HKEY_USERS 13 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\International a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\aeef1a75.BMP" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Modifies registry class 5 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75\ = "aeef1a75" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon\ = "C:\\ProgramData\\aeef1a75.ico" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exepid process 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 192 vssvc.exe Token: SeRestorePrivilege 192 vssvc.exe Token: SeAuditPrivilege 192 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exea11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription pid process target process PID 1480 wrote to memory of 860 1480 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1480 wrote to memory of 860 1480 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1480 wrote to memory of 860 1480 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 860 wrote to memory of 2596 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 860 wrote to memory of 2596 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 860 wrote to memory of 2596 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 860 wrote to memory of 3976 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 860 wrote to memory of 3976 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 860 wrote to memory of 3976 860 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exeC:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -work worker0 job0-8603⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exeC:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -work worker1 job1-8603⤵
- Enumerates connected drives
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken