Analysis
-
max time kernel
35s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:39
General
-
Target
bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe
-
Size
56KB
-
MD5
b68be0dacf09904cd4a0fbe0aab3842e
-
SHA1
5212151679ce396651887edfe0e7d1f5eda4da29
-
SHA256
bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec
-
SHA512
5a6466de3c48b5fb3b1c5b2360e144596cc981ce7ccb2b59034dd0724293bf31ff8297fb5b2033e891dfb64ad0b25627ec4690dfcde0d2b107aca3c54b10ad92
Score
10/10
Malware Config
Extracted
Path
C:\\README.70d4d153.TXT
Family
darkside
Ransom Note
----------- [ Welcome to DarkSide ] ------------->
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.
Follow our instructions below and you will recover all your data.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to get access on website?
----------------------------------------------
Using a TOR browser:
1) Download and install TOR browser from this site: https://torproject.org/
2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/0UGH4S3ASFAVY4P2TQZ6VNB0U65Y731LJ5SNZXC1AHEZFFY1JCIJV6PVHV0R0V2C
When you open our website, put the following data in the input form:
Key:
ujoNuLSl1oCjV8rkvAVuQ96Iw9kjGo0rCElelGl4rtQfuXUS8S5CWdzuQevZ2hfaFRE8zNlJiG928SnuWHcfZgjizliwCaCJMJEcdE1Ww55XHABdt3mecg3dCVXJcTCHHsubWNe2trrl3HK5VkYG0sVb1j8p6zChQY3tIc66AXClhRclxbxwBG7jyAqW35ozWYkI9JjpcqxJuF3UB6dicpYf3IwUaqXZL7SjCEx5yItLgwjUvm2r83M5C8sNQJSEXPCP49c5TepQDjo1cOuqZ0f4GHHlkmwW19az6ns7PSpS2o4SScUyuoYB0DkZRylbkazPf10b7aXqM5Z4Le45T0la7QmkIj8or61xPokGgsHyiDbXOgigOkHH4aQecaO1CA6xko4YiaAXJUFfQEn60YMyklHAvBshmCFTMXSa2K0zQ2hvDrUiP9gIqnpXqhpjJAdFo41MGuZSnpPka09tmflNRO7OGBF4Q18s1laCatkc6GLkt35LFErit6Lfj2cHxiEFKY3D6ku28Yikk28sITqXiSTPjiTyEqtP2vOj8ZPJ0GCOXfAq2LC
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!!
URLs
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/0UGH4S3ASFAVY4P2TQZ6VNB0U65Y731LJ5SNZXC1AHEZFFY1JCIJV6PVHV0R0V2C
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 5 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies data under HKEY_USERS 29 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe"2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exeC:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe -work worker0 job0-21443⤵
- Modifies extensions of user files
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exeC:\Users\Admin\AppData\Local\Temp\bac7f1cb70a0fe909590f7b270248705d216b4abaf4e5dd4969fa4f1949badec.sample.exe -work worker1 job1-21443⤵
- Enumerates connected drives
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2036-116-0x0000000000000000-mapping.dmp
-
memory/2144-114-0x0000000000000000-mapping.dmp
-
memory/4088-115-0x0000000000000000-mapping.dmp