Malware Analysis Report

2024-10-16 03:29

Sample ID 211101-sndhzaabe8
Target 5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.zip
SHA256 5e210a42996ad14924d70184043cb304be7f555a20d8937ae4502e01d4cf33aa
Tags
darkside ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e210a42996ad14924d70184043cb304be7f555a20d8937ae4502e01d4cf33aa

Threat Level: Known bad

The file 5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.zip was found to be: Known bad.

Malicious Activity Summary

darkside ransomware upx

DarkSide

Suspicious use of NtCreateProcessExOtherParentProcess

UPX packed file

Modifies extensions of user files

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-01 15:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-01 15:15

Reported

2021-11-01 15:18

Platform

win10-en-20210920

Max time kernel

117s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe"

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 3120 created 756 N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe

"C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 756 -s 132

Network

Country Destination Domain Proto
US 8.8.8.8:53 sv.symcb.com udp
US 93.184.220.29:80 sv.symcb.com tcp
US 8.8.8.8:53 s.symcb.com udp
US 72.21.91.29:80 s.symcb.com tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2021-11-01 15:15

Reported

2021-11-01 15:18

Platform

win7-en-20210920

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File created C:\Users\Admin\Pictures\DisconnectPop.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\DismountSubmit.tiff.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\MountRegister.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\EnableSuspend.png.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File opened for modification C:\Users\Admin\Pictures\InitializeRepair.tiff C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\InitializeRepair.tiff.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\MeasureSelect.raw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\AssertInstall.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\CompressRestart.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\ExpandRegister.png.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\UnregisterMount.crw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\DenyUnregister.raw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File opened for modification C:\Users\Admin\Pictures\DismountSubmit.tiff C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\ReadMount.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe

"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"

C:\Windows\system32\cipher.exe

cipher.exe /w:C:\

Network

N/A

Files

memory/1000-54-0x0000000000000000-mapping.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2021-11-01 15:15

Reported

2021-11-01 15:19

Platform

win10-en-20211014

Max time kernel

154s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ConvertFromSet.tiff C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\DenyCompare.crw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\PublishImport.raw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\ConnectBlock.crw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\ConnectProtect.crw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\ConvertFromSet.tiff.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\GrantResume.crw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\PingDeny.png.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\SkipGroup.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File opened for modification C:\Users\Admin\Pictures\SwitchConvertTo.tiff C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\SwitchConvertTo.tiff.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\BackupExit.raw.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A
File created C:\Users\Admin\Pictures\UninstallConvert.tif.decaf C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe

"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"

C:\Windows\system32\cipher.exe

cipher.exe /w:C:\

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt

Network

Country Destination Domain Proto
US 52.109.12.20:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/684-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\README.txt

MD5 5f5d5821609d17a014cc9296fad94085
SHA1 c1c47a0a209df64d8b5326a993c0fafc8dfa1dad
SHA256 2cdb19bf6ca8ac5f13dde100b74e7a0a26a265fd19e8f6102a4c37b585bd6597
SHA512 dfd5d831a3b829a2012c241f75040c726acbee481bb3dadf1068ae33f194666d207fbffbc277d70c1dafe96af9219aabf72353d2abf53274b21c3914b1bd3886

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-01 15:15

Reported

2021-11-01 15:26

Platform

win7-en-20211014

Max time kernel

600s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe

"C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe"

Network

N/A

Files

N/A