Analysis
-
max time kernel
107s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28/10/2021, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe
Resource
win10-en-20211014
General
-
Target
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe
-
Size
700KB
-
MD5
46a1325bb01e37e0ee2d2ba37db257f2
-
SHA1
fde5f666007cdb1fd1dddd2fefbed916992e9e65
-
SHA256
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
-
SHA512
2244ad1c7cc1814d0ca2a646ad1d158fef6a269bfcaa327d46400c6ab7edb595b1c47393cfcbb9b15c6f748f50515a4da397733972198453822b03757861ff72
Malware Config
Extracted
C:\Recovery\WindowsRE\README.txt
darkside
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ClearDisconnect.tiff 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File created C:\Users\Admin\Pictures\ClearDisconnect.tiff.decaf 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ConvertToSelect.tiff 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File created C:\Users\Admin\Pictures\ConvertToSelect.tiff.decaf 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File created C:\Users\Admin\Pictures\DenyBackup.tif.decaf 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File created C:\Users\Admin\Pictures\EnableBackup.png.decaf 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RestoreBlock.tiff 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe File created C:\Users\Admin\Pictures\RestoreBlock.tiff.decaf 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1772 2504 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe 70 PID 2504 wrote to memory of 1772 2504 98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.bin.sample.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\cipher.execipher.exe /w:C:\2⤵PID:1772
-