Analysis
-
max time kernel
151s -
max time network
94s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-08-2021 10:33
Static task
static1
Behavioral task
behavioral1
Sample
acer.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
acer.bin.exe
Resource
win10v20210408
General
-
Target
acer.bin.exe
-
Size
56KB
-
MD5
979692cd7fc638beea6e9d68c752f360
-
SHA1
c511ae4d80aaa281c610190aa13630de61ca714c
-
SHA256
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
-
SHA512
d7b7b6a968e6d7b7f3e7f98decb6b331b08122e491bf0b0dbe243223fb177218a758c34830f20c47f2a799acdd146297ec7f930c2bb4d5c6830ce65c8274ea6d
Malware Config
Extracted
C:\\README.949640ab.TXT
darkside
http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 17 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
acer.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\HideAdd.tiff => C:\Users\Admin\Pictures\HideAdd.tiff.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SetInstall.tiff.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ExitSelect.tiff acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ExitSelect.tiff.949640ab acer.bin.exe File renamed C:\Users\Admin\Pictures\ExitSelect.tiff => C:\Users\Admin\Pictures\ExitSelect.tiff.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\HideAdd.tiff.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ReceiveWait.tif.949640ab acer.bin.exe File renamed C:\Users\Admin\Pictures\SetInstall.tiff => C:\Users\Admin\Pictures\SetInstall.tiff.949640ab acer.bin.exe File renamed C:\Users\Admin\Pictures\AddDebug.crw => C:\Users\Admin\Pictures\AddDebug.crw.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromStart.crw.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\HideAdd.tiff acer.bin.exe File renamed C:\Users\Admin\Pictures\ProtectWrite.raw => C:\Users\Admin\Pictures\ProtectWrite.raw.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ProtectWrite.raw.949640ab acer.bin.exe File renamed C:\Users\Admin\Pictures\ReceiveWait.tif => C:\Users\Admin\Pictures\ReceiveWait.tif.949640ab acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SetInstall.tiff acer.bin.exe File opened for modification C:\Users\Admin\Pictures\AddDebug.crw.949640ab acer.bin.exe File renamed C:\Users\Admin\Pictures\ConvertFromStart.crw => C:\Users\Admin\Pictures\ConvertFromStart.crw.949640ab acer.bin.exe -
Drops file in System32 directory 1 IoCs
Processes:
acer.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat acer.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
acer.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP" acer.bin.exe -
Modifies Control Panel 2 IoCs
Processes:
acer.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop acer.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" acer.bin.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
acer.bin.exeacer.bin.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-1f-43-76-39-cd acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-1f-43-76-39-cd\WpadDecisionTime = 00f5a58d7896d701 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3ce8860b686a8a3fcc63df49210eb2d189240a3f777d51d1bf065ffb7b83e763 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 23a3da11900660ab018ae6dc9646a062fe534ffcdcaedd0906ea65b4d54e8238 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-1f-43-76-39-cd\WpadDecisionReason = "1" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = ef1cda7db9012cc0fbe523cc210c338e18031653a8bf6d42a18fbc8075054b92 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 87d7c9438f7a6b262de85e703e1a695ecb7eaa5633f61bb560ebad2893c1ca29 acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = c405000020c9dd8e7896d701 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = efa542c045d16c2a635bb25c18372a04b0d314ec757f49f55cebba98c93d8b7a acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 00f5a58d7896d701 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\42-1f-43-76-39-cd acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-1f-43-76-39-cd\WpadDecision = "0" acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" acer.bin.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 36950349f2435ac6f56a39c36379e6fe258288897a05854074adc810bf08b3f0 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 74af0e905d114f910d1a0595061448441af68c496ce88b437533ce8670e0f6c1 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 340569a8393d2b786de8cc8489cca4a6dfc33cdde28bdd5918b894cd0f0e6341 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 acer.bin.exe -
Modifies registry class 5 IoCs
Processes:
acer.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab" acer.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon acer.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab acer.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico" acer.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab acer.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 224 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
acer.bin.exeacer.bin.exepid process 1160 acer.bin.exe 1160 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe 1476 acer.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 744 vssvc.exe Token: SeRestorePrivilege 744 vssvc.exe Token: SeAuditPrivilege 744 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
acer.bin.exeacer.bin.exedescription pid process target process PID 1100 wrote to memory of 1160 1100 acer.bin.exe acer.bin.exe PID 1100 wrote to memory of 1160 1100 acer.bin.exe acer.bin.exe PID 1100 wrote to memory of 1160 1100 acer.bin.exe acer.bin.exe PID 1100 wrote to memory of 1160 1100 acer.bin.exe acer.bin.exe PID 1100 wrote to memory of 1160 1100 acer.bin.exe acer.bin.exe PID 1160 wrote to memory of 1476 1160 acer.bin.exe acer.bin.exe PID 1160 wrote to memory of 1476 1160 acer.bin.exe acer.bin.exe PID 1160 wrote to memory of 1476 1160 acer.bin.exe acer.bin.exe PID 1160 wrote to memory of 1476 1160 acer.bin.exe acer.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"2⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exeC:\Users\Admin\AppData\Local\Temp\acer.bin.exe -work worker0 job0-11603⤵
- Modifies extensions of user files
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.949640ab.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\README.949640ab.TXTMD5
164aa420be8e0c2bcdef574355edaa32
SHA14336eaafedfc18a27cdf42bffad63b5a54ea8231
SHA256b326d11dd90c2e4efb0a384981f71c2bd1a6faa0553d6389acb08945b699f73d
SHA512fd1437bc4f45e3f4b5c3d0e7fca9383f45edceb5c8cb603d0b8ee98350a5f2468c2aabdb66f16bdee0bac49afefa4300a093a54ee43b1ff28a541ae612e34d9d
-
memory/224-66-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/1096-60-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/1160-62-0x0000000000000000-mapping.dmp
-
memory/1476-64-0x0000000000000000-mapping.dmp