General

  • Size

    1MB

  • Sample

    220716-vdzpkadhdq

  • MD5

    60ed30bea0f9e2db5cc1f45241c7473c

  • SHA1

    62b33edc9682bc780bc68d34ae7b19eaf429e42d

  • SHA256

    fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

  • SHA512

    e746f0e3e37bc1c8d8a30f9e9e01cb0ab3d95e0338a1cfde78f5442b5492c8427addf0e732264fd3b4d775b2c148ba336b0269d4e194a816a97e1bebc57b7802

Score
10/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note ---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkylock@tutanota.com 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

darkylock@tutanota.com

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Targets

    • Target

      fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.bin

    • Size

      1MB

    • MD5

      60ed30bea0f9e2db5cc1f45241c7473c

    • SHA1

      62b33edc9682bc780bc68d34ae7b19eaf429e42d

    • SHA256

      fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

    • SHA512

      e746f0e3e37bc1c8d8a30f9e9e01cb0ab3d95e0338a1cfde78f5442b5492c8427addf0e732264fd3b4d775b2c148ba336b0269d4e194a816a97e1bebc57b7802

    Score
    10/10
    • DarkyLock

      Ransomware family first seen in July 2022.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation