Analysis Overview
SHA256
5e210a42996ad14924d70184043cb304be7f555a20d8937ae4502e01d4cf33aa
Threat Level: Known bad
The file 5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.zip was found to be: Known bad.
Malicious Activity Summary
DarkSide
Suspicious use of NtCreateProcessExOtherParentProcess
UPX packed file
Modifies extensions of user files
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-11-01 15:15
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-01 15:15
Reported
2021-11-01 15:18
Platform
win10-en-20210920
Max time kernel
117s
Max time network
136s
Command Line
Signatures
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3120 created 756 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WerFault.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe
"C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 756 -s 132
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 93.184.220.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | s.symcb.com | udp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2021-11-01 15:15
Reported
2021-11-01 15:18
Platform
win7-en-20210920
Max time kernel
119s
Max time network
124s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe | C:\Windows\system32\cipher.exe |
| PID 1100 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe | C:\Windows\system32\cipher.exe |
| PID 1100 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe | C:\Windows\system32\cipher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"
C:\Windows\system32\cipher.exe
cipher.exe /w:C:\
Network
Files
memory/1000-54-0x0000000000000000-mapping.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-11-01 15:15
Reported
2021-11-01 15:19
Platform
win10-en-20211014
Max time kernel
154s
Max time network
142s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 684 | N/A | C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe | C:\Windows\system32\cipher.exe |
| PID 1516 wrote to memory of 684 | N/A | C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe | C:\Windows\system32\cipher.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"
C:\Windows\system32\cipher.exe
cipher.exe /w:C:\
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/684-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\README.txt
| MD5 | 5f5d5821609d17a014cc9296fad94085 |
| SHA1 | c1c47a0a209df64d8b5326a993c0fafc8dfa1dad |
| SHA256 | 2cdb19bf6ca8ac5f13dde100b74e7a0a26a265fd19e8f6102a4c37b585bd6597 |
| SHA512 | dfd5d831a3b829a2012c241f75040c726acbee481bb3dadf1068ae33f194666d207fbffbc277d70c1dafe96af9219aabf72353d2abf53274b21c3914b1bd3886 |
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-01 15:15
Reported
2021-11-01 15:26
Platform
win7-en-20211014
Max time kernel
600s
Max time network
600s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe
"C:\Users\Admin\AppData\Local\Temp\5da2a2ebe9959e6ac21683a8950055309eb34544962c02ed564e0deaf83c9477.exe"