General

  • Target

    b6855793aebdd821a7f368585335cb132a043d30cb1f8dccceb5d2127ed4b9a4.bin

  • Size

    56KB

  • Sample

    210510-gtfk73snsx

  • MD5

    f913d43ba0a9f921b1376b26cd30fa34

  • SHA1

    fd18c95cba3d2c31976605f680ad4b4308090b55

  • SHA256

    b6855793aebdd821a7f368585335cb132a043d30cb1f8dccceb5d2127ed4b9a4

  • SHA512

    4f7cad482394d88062e23e3c96025d63c0ae357ff56e475f0e7418718023f1f816cfa48fec0ca7a0b167485b86079519229575afebe748b98833bb7063757d1b

Score
10/10

Malware Config

Extracted

Path

C:\\README.949640ab.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/M4WA6U5QSGE711NVT9KYCULLHIMHCD9KVO20MKU2NJ6KS4E5PS1VJ5JVISJMC1YE When you open our website, put the following data in the input form: Key: XYHpqdvrk7OujmkWOv8CL0VKZr5B9Kyts8QCvWXyQMdNNz3rhUKbW3A5QiiBbyUfY1OEhoKUpLvC3UAouvZxgleSDNArJJWpKRjQ9DEkQVsJbPWrrHxA8hDsGMAoYuWuuyD21WuudejDsIEzCvJkOdTGOmJXgCwyvcoavq1bRhIvrK9yf3KfTF4FUXUhyFzT9c9JC09CdVwZR3gKRg7Rl5fDSuuTon3dVK1op2Lt87NrGQs1n5r8qpFGlPK7wtLtWKHRNXK6MK9Y16yDLXz9ovkdAfzBYcdlHSv6NFRSfYUeKNHZoixV27aW8Ierb2JnZ896Tf5lPAKmMrrsJ6sHUiRhKU7x3aTi6CSM1PJs5lYJhVwxMAcyYd1a1scmJU0zKxKQMHPj8hDXdbJHtd4XVD8Xv7fO6d68Y9scnRNIPW1PGIFcN7aECySBV262020h6RcEkxDgj34ieYZBCnibnYs3tzFCZJIdKBIYi0W3Nmgtvn3Tyow0Jo2aBFqJgaq7DvCsKDrARYaGqLKtuoX9J4Pkz6NLXadcJaXkC3Wl6mhcCSuKpOwx9mh !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/M4WA6U5QSGE711NVT9KYCULLHIMHCD9KVO20MKU2NJ6KS4E5PS1VJ5JVISJMC1YE

Targets

    • Target

      b6855793aebdd821a7f368585335cb132a043d30cb1f8dccceb5d2127ed4b9a4.bin

    • Size

      56KB

    • MD5

      f913d43ba0a9f921b1376b26cd30fa34

    • SHA1

      fd18c95cba3d2c31976605f680ad4b4308090b55

    • SHA256

      b6855793aebdd821a7f368585335cb132a043d30cb1f8dccceb5d2127ed4b9a4

    • SHA512

      4f7cad482394d88062e23e3c96025d63c0ae357ff56e475f0e7418718023f1f816cfa48fec0ca7a0b167485b86079519229575afebe748b98833bb7063757d1b

    Score
    10/10
    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks