Overview

overview

10

Static

static

156335b95b...le.dll

windows7_x64

10

156335b95b...le.dll

windows10_x64

10

Resubmissions

02-02-2022 05:52

220202-gkv33aggfr 10

02-02-2022 05:47

220202-gg54vsggej 10

02-02-2022 05:04

220202-fqg8qagcfl 10

02-02-2022 05:01

220202-fnve9sgcck 10

02-02-2022 04:58

220202-fl8j4sgeh6 10

02-02-2022 04:52

220202-fhc9ssged6 10

02-02-2022 04:44

220202-fc77zsgahr 10

02-02-2022 04:39

220202-e95mpagacp 10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll

  • Size

    54KB

  • MD5

    f587adbd83ff3f4d2985453cd45c7ab1

  • SHA1

    2715340f82426f840cf7e460f53a36fc3aad52aa

  • SHA256

    156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673

  • SHA512

    37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe

Score
10/10
darksideransomware

Malware Config

Extracted

Path

C:\\README.949640ab.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V When you open our website, put the following data in the input form: Key: lmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dBugzgWIBf009Hkb5C7IdIYdEb5wH80HMVhurYzet587o6GinzDBOip4Bz7JIznXkqxIEHUN77hsUM8pMyH8twWettemxqB3PIOMvr7Aog9AIl1QhCYXC1HX97G5tp7OTlUfQOwtZZt5gvtMkOJ9UwgXZrRSDRc8pcCgmFZhGsCalBmIC08HCA40P7r5pcEn2PdBA6tt5oHma19OMBra3NwlkZVUVfIql643VPuvDLNiDtdR1EZhP1vb2t2HsKlGOffG7ql9Y2JWcu2uwjqwVdSzQtlXWM6mEy3xdm3lcJnztQ5Nh7jJ7bYgAb1hODbN9UektcOzYC0e0ZqjPVLY3opxNvYgCk8Bz9clmNXqsvMjBQXJQVb8o0IPMcDjYyhJuG0EevGlAWVq8WGS7JraW22zvlz8SQ4HdgUEJR0VbrsitXqIbIF9S2XGZmtxEsRStAey !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 58 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
      2⤵
        PID:2044
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#1
          3⤵
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1284
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.sample.dll,#3 worker0 job0-1284
            4⤵
            • Modifies extensions of user files
            • Drops startup file
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1512
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:584

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1284-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1420-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1512-66-0x0000000000000000-mapping.dmp
      Download
    • memory/2044-60-0x0000000000000000-mapping.dmp
      Download
    • memory/2044-61-0x0000000075721000-0x0000000075723000-memory.dmp
      Filesize

      8KB

      Download