Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-11-2021 14:35
Static task
static1
Behavioral task
behavioral1
Sample
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
Resource
win10-en-20211104
General
-
Target
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
-
Size
831KB
-
MD5
f2cb24bfbd11a22c235f2f492b95c28d
-
SHA1
e7acd40a42130efc72b3ec0920381f86d9dfd8e2
-
SHA256
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
-
SHA512
2d2c72d55046008f509a27716ddb7093858a73ec89686a29bbe497fe2c190311cdb54ec15a449d7483b30aa37a82e99c4f19f3e700973518c051b60a12ca64b4
Malware Config
Extracted
C:\Recovery\590dd5e2-2d4f-11ec-8202-e2f59334bf81\README.txt
darkside
22eb687475f2c5ca30b@protonmail.com
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exedescription ioc process File created C:\Users\Admin\Pictures\DenyInvoke.tiff.decaf a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe File created C:\Users\Admin\Pictures\ExitUse.tif.decaf a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe File created C:\Users\Admin\Pictures\GetGroup.tif.decaf a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe File created C:\Users\Admin\Pictures\SkipSelect.raw.decaf a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe File created C:\Users\Admin\Pictures\SyncSet.raw.decaf a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe File opened for modification C:\Users\Admin\Pictures\DenyInvoke.tiff a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exedescription pid process target process PID 1100 wrote to memory of 1752 1100 a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe cipher.exe PID 1100 wrote to memory of 1752 1100 a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe cipher.exe PID 1100 wrote to memory of 1752 1100 a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe cipher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe"C:\Users\Admin\AppData\Local\Temp\a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cipher.execipher.exe /w:C:\2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1752-55-0x0000000000000000-mapping.dmp