Overview

overview

10

Static

static

bac7f1cb70...le.exe

windows7_x64

10

bac7f1cb70...le.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe

  • Size

    56KB

  • MD5

    b68be0dacf09904cd4a0fbe0aab3842e

  • SHA1

    5212151679ce396651887edfe0e7d1f5eda4da29

  • SHA256

    bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec

  • SHA512

    5a6466de3c48b5fb3b1c5b2360e144596cc981ce7ccb2b59034dd0724293bf31ff8297fb5b2033e891dfb64ad0b25627ec4690dfcde0d2b107aca3c54b10ad92

Score
10/10
darksideransomware

Malware Config

Extracted

Path

C:\\README.53411c86.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/0UGH4S3ASFAVY4P2TQZ6VNB0U65Y731LJ5SNZXC1AHEZFFY1JCIJV6PVHV0R0V2C When you open our website, put the following data in the input form: Key: ujoNuLSl1oCjV8rkvAVuQ96Iw9kjGo0rCElelGl4rtQfuXUS8S5CWdzuQevZ2hfaFRE8zNlJiG928SnuWHcfZgjizliwCaCJMJEcdE1Ww55XHABdt3mecg3dCVXJcTCHHsubWNe2trrl3HK5VkYG0sVb1j8p6zChQY3tIc66AXClhRclxbxwBG7jyAqW35ozWYkI9JjpcqxJuF3UB6dicpYf3IwUaqXZL7SjCEx5yItLgwjUvm2r83M5C8sNQJSEXPCP49c5TepQDjo1cOuqZ0f4GHHlkmwW19az6ns7PSpS2o4SScUyuoYB0DkZRylbkazPf10b7aXqM5Z4Le45T0la7QmkIj8or61xPokGgsHyiDbXOgigOkHH4aQecaO1CA6xko4YiaAXJUFfQEn60YMyklHAvBshmCFTMXSa2K0zQ2hvDrUiP9gIqnpXqhpjJAdFo41MGuZSnpPka09tmflNRO7OGBF4Q18s1laCatkc6GLkt35LFErit6Lfj2cHxiEFKY3D6ku28Yikk28sITqXiSTPjiTyEqtP2vOj8ZPJ0GCOXfAq2LC !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/0UGH4S3ASFAVY4P2TQZ6VNB0U65Y731LJ5SNZXC1AHEZFFY1JCIJV6PVHV0R0V2C

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 19 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"
    1⤵
      PID:1920
    • C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe
      "C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe
        "C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"
        2⤵
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe
          C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe -work worker0 job0-840
          3⤵
          • Modifies extensions of user files
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:592
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:996

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/592-64-0x0000000000000000-mapping.dmp
      Download
    • memory/840-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmp
      Filesize

      8KB

      Download