Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-05-2021 19:34

General

  • Target

    516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

  • Size

    56KB

  • MD5

    84c1567969b86089cc33dccf41562bcd

  • SHA1

    53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2

  • SHA256

    516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

  • SHA512

    72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Score
10/10

Malware Config

Extracted

Path

C:\\README.aeef1a75.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 15 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 32 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
    "C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
    1⤵
      PID:3452
    • C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
      "C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
        "C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
          C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker0 job0-1624
          3⤵
          • Modifies extensions of user files
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:488
        • C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
          C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker1 job1-1624
          3⤵
          • Enumerates connected drives
          PID:988
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/488-115-0x0000000000000000-mapping.dmp

    • memory/988-116-0x0000000000000000-mapping.dmp

    • memory/1624-114-0x0000000000000000-mapping.dmp