Analysis
-
max time kernel
20s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-08-2021 10:33
Static task
static1
Behavioral task
behavioral1
Sample
acer.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
acer.bin.exe
Resource
win10v20210408
General
-
Target
acer.bin.exe
-
Size
56KB
-
MD5
979692cd7fc638beea6e9d68c752f360
-
SHA1
c511ae4d80aaa281c610190aa13630de61ca714c
-
SHA256
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
-
SHA512
d7b7b6a968e6d7b7f3e7f98decb6b331b08122e491bf0b0dbe243223fb177218a758c34830f20c47f2a799acdd146297ec7f930c2bb4d5c6830ce65c8274ea6d
Malware Config
Extracted
C:\\README.70d4d153.TXT
darkside
http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
acer.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisableMove.tif => C:\Users\Admin\Pictures\DisableMove.tif.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ImportSubmit.crw.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\InitializeConvert.tif => C:\Users\Admin\Pictures\InitializeConvert.tif.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\InstallSearch.png => C:\Users\Admin\Pictures\InstallSearch.png.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SendRename.tiff acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SendRename.tiff.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\ApproveWait.crw => C:\Users\Admin\Pictures\ApproveWait.crw.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\CopyRemove.tif.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\UpdateRegister.png => C:\Users\Admin\Pictures\UpdateRegister.png.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SplitRead.raw.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\CopyRemove.tif => C:\Users\Admin\Pictures\CopyRemove.tif.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\LockHide.crw => C:\Users\Admin\Pictures\LockHide.crw.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tif.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\InstallSearch.png.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\LockHide.crw.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\SplitRead.raw => C:\Users\Admin\Pictures\SplitRead.raw.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SyncExport.tiff acer.bin.exe File opened for modification C:\Users\Admin\Pictures\SyncExport.tiff.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\DisableMove.tif.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\ImportSubmit.crw => C:\Users\Admin\Pictures\ImportSubmit.crw.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\SyncExport.tiff => C:\Users\Admin\Pictures\SyncExport.tiff.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\UpdateRegister.png.70d4d153 acer.bin.exe File opened for modification C:\Users\Admin\Pictures\ApproveWait.crw.70d4d153 acer.bin.exe File renamed C:\Users\Admin\Pictures\SendRename.tiff => C:\Users\Admin\Pictures\SendRename.tiff.70d4d153 acer.bin.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
acer.bin.exeacer.bin.exedescription ioc process File opened (read-only) \??\Z: acer.bin.exe File opened (read-only) \??\Z: acer.bin.exe -
Drops file in System32 directory 5 IoCs
Processes:
acer.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 acer.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat acer.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 acer.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE acer.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies acer.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
acer.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\70d4d153.BMP" acer.bin.exe -
Modifies Control Panel 2 IoCs
Processes:
acer.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop acer.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10" acer.bin.exe -
Modifies data under HKEY_USERS 29 IoCs
Processes:
acer.bin.exeacer.bin.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 91e691273fcd387b938128d9a11015443c3f79b357bbe7dd508450a52147c875 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = aa66ccf6af00957acbb7e8dc16276a608c7b07223804bd0a1c8aba4c6a78f8a5 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000 acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 55eb7574d3943913a3d94015886dcf5ef76b6fefebdd61eee2d13619d9faf1c7 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = db71dabbac89e2dff05c38b69b3894398bcc98287c545859f011c19c32a0d004 acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 5b185e6bcaf1ddda0d9b852f2e23526c46a5433592c35a591511e0a7f49c3266 acer.bin.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1bd5014a73f62176b200c0b0e8bf219ce1551e175ae11bf7719c49d4b13da17d acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7c32e6cf0bb6476e9c1967d0220eb3abc7b00750a4ea5ea222fecbd73b94b647 acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 940f00005ee7c1538896d701 acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\70d4d153.BMP" acer.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix acer.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ acer.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" acer.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 41798fbc869f7ea5231dc43f77eedbdf8d93e5ea489f9ad655a8266f3968766f acer.bin.exe -
Modifies registry class 5 IoCs
Processes:
acer.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153\ = "70d4d153" acer.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon acer.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153 acer.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon\ = "C:\\ProgramData\\70d4d153.ico" acer.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153 acer.bin.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
acer.bin.exeacer.bin.exepid process 1804 acer.bin.exe 1804 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe 3988 acer.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 348 vssvc.exe Token: SeRestorePrivilege 348 vssvc.exe Token: SeAuditPrivilege 348 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
acer.bin.exeacer.bin.exedescription pid process target process PID 4028 wrote to memory of 1804 4028 acer.bin.exe acer.bin.exe PID 4028 wrote to memory of 1804 4028 acer.bin.exe acer.bin.exe PID 4028 wrote to memory of 1804 4028 acer.bin.exe acer.bin.exe PID 4028 wrote to memory of 1804 4028 acer.bin.exe acer.bin.exe PID 1804 wrote to memory of 3988 1804 acer.bin.exe acer.bin.exe PID 1804 wrote to memory of 3988 1804 acer.bin.exe acer.bin.exe PID 1804 wrote to memory of 3988 1804 acer.bin.exe acer.bin.exe PID 1804 wrote to memory of 3544 1804 acer.bin.exe acer.bin.exe PID 1804 wrote to memory of 3544 1804 acer.bin.exe acer.bin.exe PID 1804 wrote to memory of 3544 1804 acer.bin.exe acer.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"C:\Users\Admin\AppData\Local\Temp\acer.bin.exe"2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exeC:\Users\Admin\AppData\Local\Temp\acer.bin.exe -work worker0 job0-18043⤵
- Modifies extensions of user files
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\acer.bin.exeC:\Users\Admin\AppData\Local\Temp\acer.bin.exe -work worker1 job1-18043⤵
- Enumerates connected drives
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken