Resubmissions
02-02-2022 05:52
220202-gkv33aggfr 1002-02-2022 05:47
220202-gg54vsggej 1002-02-2022 05:04
220202-fqg8qagcfl 1002-02-2022 05:01
220202-fnve9sgcck 1002-02-2022 04:58
220202-fl8j4sgeh6 1002-02-2022 04:52
220202-fhc9ssged6 1002-02-2022 04:44
220202-fc77zsgahr 1002-02-2022 04:39
220202-e95mpagacp 10Analysis
-
max time kernel
89s -
max time network
97s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
01-02-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll
Resource
win10-en-20211208
General
-
Target
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll
-
Size
54KB
-
MD5
f587adbd83ff3f4d2985453cd45c7ab1
-
SHA1
2715340f82426f840cf7e460f53a36fc3aad52aa
-
SHA256
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
-
SHA512
37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe
Malware Config
Extracted
C:\\README.a97d73e3.TXT
darkside
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Drops file in System32 directory 5 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe -
Modifies data under HKEY_USERS 28 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 69adfe26f512e6db08fd673723162e6bcf4fba8ad495ee66fa78b2d7124932d8 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 48f62b81a1ab5f7f23c82d53be008ee626f98fdff8729d564376171baf61e39d rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft rundll32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 36451d210411dd0e1c0e3e637fc52203aaa56b801411b1df17217a13d9e128c6 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 201c33f12083697bdb75e7540199d650699c984a2e85a4cf6af3580525ae1c4e rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 71c433da2da10e809fa7d78e513f24150bc7454892f8c352cc36997e52a9a337 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 8c02000045658d5de219d801 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6aa8a601c96cc161514c35e62440bc443fdecac238c5e223c6222537327f88a5 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e6955815d4dff4351626b4449a4bf73522fc17c09cc58d44114f4aca04472398 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = bf67297b086ab9befd6117032f2a985a85da33212742d466e4c2dfa02d22da1e rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.a97d73e3 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.a97d73e3\ = "a97d73e3" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\a97d73e3\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\a97d73e3 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\a97d73e3\DefaultIcon\ = "C:\\ProgramData\\a97d73e3.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
rundll32.exerundll32.exepid process 3376 rundll32.exe 3376 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe 652 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 432 vssvc.exe Token: SeRestorePrivilege 432 vssvc.exe Token: SeAuditPrivilege 432 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 2608 wrote to memory of 2804 2608 rundll32.exe rundll32.exe PID 2608 wrote to memory of 2804 2608 rundll32.exe rundll32.exe PID 2608 wrote to memory of 2804 2608 rundll32.exe rundll32.exe PID 3596 wrote to memory of 3920 3596 rundll32.exe rundll32.exe PID 3596 wrote to memory of 3920 3596 rundll32.exe rundll32.exe PID 3596 wrote to memory of 3920 3596 rundll32.exe rundll32.exe PID 3920 wrote to memory of 3376 3920 rundll32.exe rundll32.exe PID 3920 wrote to memory of 3376 3920 rundll32.exe rundll32.exe PID 3920 wrote to memory of 3376 3920 rundll32.exe rundll32.exe PID 3376 wrote to memory of 652 3376 rundll32.exe rundll32.exe PID 3376 wrote to memory of 652 3376 rundll32.exe rundll32.exe PID 3376 wrote to memory of 652 3376 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#12⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#13⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#3 worker0 job0-33764⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken