Analysis
-
max time kernel
176s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
02-02-2022 05:43
Static task
static1
Behavioral task
behavioral1
Sample
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll
Resource
win10v2004-en-20220112
General
-
Target
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll
-
Size
54KB
-
MD5
f587adbd83ff3f4d2985453cd45c7ab1
-
SHA1
2715340f82426f840cf7e460f53a36fc3aad52aa
-
SHA256
156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
-
SHA512
37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe
Malware Config
Extracted
C:\\README.bc654380.TXT
darkside
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Drops file in System32 directory 4 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bc654380\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bc654380 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bc654380\DefaultIcon\ = "C:\\ProgramData\\bc654380.ico" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bc654380 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bc654380\ = "bc654380" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3684 rundll32.exe 3684 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 380 vssvc.exe Token: SeRestorePrivilege 380 vssvc.exe Token: SeAuditPrivilege 380 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 4092 wrote to memory of 3352 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 3352 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 3352 4092 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2756 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2756 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2756 2648 rundll32.exe rundll32.exe PID 2756 wrote to memory of 3684 2756 rundll32.exe rundll32.exe PID 2756 wrote to memory of 3684 2756 rundll32.exe rundll32.exe PID 2756 wrote to memory of 3684 2756 rundll32.exe rundll32.exe PID 3684 wrote to memory of 2500 3684 rundll32.exe rundll32.exe PID 3684 wrote to memory of 2500 3684 rundll32.exe rundll32.exe PID 3684 wrote to memory of 2500 3684 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#12⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#13⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#3 worker0 job0-36844⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken