Resubmissions
02-02-2022 05:52
220202-gkv33aggfr 1002-02-2022 05:47
220202-gg54vsggej 1002-02-2022 05:04
220202-fqg8qagcfl 1002-02-2022 05:01
220202-fnve9sgcck 1002-02-2022 04:58
220202-fl8j4sgeh6 1002-02-2022 04:52
220202-fhc9ssged6 1002-02-2022 04:44
220202-fc77zsgahr 1002-02-2022 04:39
220202-e95mpagacp 10Analysis
-
max time kernel
246s -
max time network
248s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
02-02-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll
Resource
win10-en-20211208
General
-
Target
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll
-
Size
54KB
-
MD5
f587adbd83ff3f4d2985453cd45c7ab1
-
SHA1
2715340f82426f840cf7e460f53a36fc3aad52aa
-
SHA256
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
-
SHA512
37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe
Malware Config
Extracted
C:\\README.30b346f4.TXT
darkside
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Drops file in System32 directory 5 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe -
Modifies registry class 6 IoCs
Processes:
firefox.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.30b346f4 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.30b346f4\ = "30b346f4" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\30b346f4\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\30b346f4 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\30b346f4\DefaultIcon\ = "C:\\ProgramData\\30b346f4.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
taskmgr.exerundll32.exepid process 3600 taskmgr.exe 3600 taskmgr.exe 4256 rundll32.exe 4256 rundll32.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
taskmgr.exefirefox.exevssvc.exedescription pid process Token: SeDebugPrivilege 3600 taskmgr.exe Token: SeSystemProfilePrivilege 3600 taskmgr.exe Token: SeCreateGlobalPrivilege 3600 taskmgr.exe Token: SeDebugPrivilege 3992 firefox.exe Token: SeDebugPrivilege 3992 firefox.exe Token: SeBackupPrivilege 4368 vssvc.exe Token: SeRestorePrivilege 4368 vssvc.exe Token: SeAuditPrivilege 4368 vssvc.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
Processes:
taskmgr.exefirefox.exepid process 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
Processes:
taskmgr.exefirefox.exepid process 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3992 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exefirefox.exefirefox.exefirefox.exedescription pid process target process PID 3488 wrote to memory of 764 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 764 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 764 3488 rundll32.exe rundll32.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 2384 wrote to memory of 3992 2384 firefox.exe firefox.exe PID 3992 wrote to memory of 1400 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 1400 3992 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 2388 wrote to memory of 3540 2388 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe PID 3992 wrote to memory of 3612 3992 firefox.exe firefox.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#12⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.0.320327996\1087374056" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 1612 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.6.2101120339\329837940" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 156 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 2908 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.13.362001218\1614522103" -childID 2 -isForBrowser -prefsHandle 2760 -prefMapHandle 3132 -prefsLen 196 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 2836 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.20.1618842082\283422053" -childID 3 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 6950 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 3592 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3992.27.2025427947\1797354232" -childID 4 -isForBrowser -prefsHandle 3996 -prefMapHandle 4028 -prefsLen 6950 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3992 "\\.\pipe\gecko-crash-server-pipe.3992" 4016 tab3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#11⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#12⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#13⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.dll,#3 worker0 job0-42564⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\pipe\chrome.3992.25.50917191MD5
fe2ceeb0194ab76f28515bec8450da98
SHA1e11823c5bba27cdf43304278406aebe09021d337
SHA25640ad3d2a8034960efb066cd198a3c75510626f44748cb238accfa00a7bceca63
SHA512c1032b52e23def714006bc6603c6e03f9ea66ba2692de56bc848449208b4c490b9a5308f60a4d17f5d036ee3c3f4659b2284ac3b87ae324df17d27943c9e0e97