Overview

overview

10

Static

static

8

98272cada9...le.exe

windows7_x64

10

98272cada9...le.exe

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    28-10-2021 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe

  • Size

    700KB

  • MD5

    46a1325bb01e37e0ee2d2ba37db257f2

  • SHA1

    fde5f666007cdb1fd1dddd2fefbed916992e9e65

  • SHA256

    98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63

  • SHA512

    2244ad1c7cc1814d0ca2a646ad1d158fef6a269bfcaa327d46400c6ab7edb595b1c47393cfcbb9b15c6f748f50515a4da397733972198453822b03757861ff72

Score
10/10
darksideransomware

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.txt

Family

darkside

Ransom Note
WINNER WINNER CHICKEN DINNER What happend? ############################################## All your servers and computers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ############################################## We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one image file for free. The file size should be no more than 2 MB. Contact us by email: 22eb687475f2c5ca30b@protonmail.com !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
Emails

22eb687475f2c5ca30b@protonmail.com

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\system32\cipher.exe
      cipher.exe /w:C:\
      2⤵
        PID:1772

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1772-115-0x0000000000000000-mapping.dmp
      Download