darkylock | fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

General

Target

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
Size

1.5MB
MD5

60ed30bea0f9e2db5cc1f45241c7473c
SHA1

62b33edc9682bc780bc68d34ae7b19eaf429e42d
SHA256

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6
SHA512

e746f0e3e37bc1c8d8a30f9e9e01cb0ab3d95e0338a1cfde78f5442b5492c8427addf0e732264fd3b4d775b2c148ba336b0269d4e194a816a97e1bebc57b7802

Score

10^/10

darkylock ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note

---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkylock@tutanota.com 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!

Emails

darkylock@tutanota.com

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

DarkyLock
Ransomware family first seen in July 2022.
ransomware darkylock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

E_WIN.EXEPUTTY.EXE

pid process

1968 E_WIN.EXE
1260 PUTTY.EXE
1360

pid	process
1968	E_WIN.EXE
1260	PUTTY.EXE
1360

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

E_WIN.EXE

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SearchSync.tiff => C:\Users\Admin\Pictures\SearchSync.tiff.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SaveClear.tif.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\ConnectClose.tif => C:\Users\Admin\Pictures\ConnectClose.tif.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\InvokePush.tiff.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SearchSync.tiff	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SearchSync.tiff.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\SyncClear.crw.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\ConnectClose.tif.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\InvokePush.tiff => C:\Users\Admin\Pictures\InvokePush.tiff.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\SaveClear.tif => C:\Users\Admin\Pictures\SaveClear.tif.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\OutPublish.raw.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\RestoreStop.png.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\UnblockDeny.png.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\SyncClear.crw => C:\Users\Admin\Pictures\SyncClear.crw.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\UnblockDeny.png => C:\Users\Admin\Pictures\UnblockDeny.png.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\InvokePush.tiff	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\OutPublish.raw => C:\Users\Admin\Pictures\OutPublish.raw.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\RestoreStop.png => C:\Users\Admin\Pictures\RestoreStop.png.darky	E_WIN.EXE

Loads dropped DLL 4 IoCs

Processes:

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe

pid	process
2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E_WIN.EXE

description	ioc	process
File opened (read-only)	\??\R:	E_WIN.EXE
File opened (read-only)	\??\G:	E_WIN.EXE
File opened (read-only)	\??\N:	E_WIN.EXE
File opened (read-only)	\??\I:	E_WIN.EXE
File opened (read-only)	\??\S:	E_WIN.EXE
File opened (read-only)	\??\J:	E_WIN.EXE
File opened (read-only)	\??\L:	E_WIN.EXE
File opened (read-only)	\??\Z:	E_WIN.EXE
File opened (read-only)	\??\W:	E_WIN.EXE
File opened (read-only)	\??\E:	E_WIN.EXE
File opened (read-only)	\??\U:	E_WIN.EXE
File opened (read-only)	\??\X:	E_WIN.EXE
File opened (read-only)	\??\A:	E_WIN.EXE
File opened (read-only)	\??\F:	E_WIN.EXE
File opened (read-only)	\??\H:	E_WIN.EXE
File opened (read-only)	\??\B:	E_WIN.EXE
File opened (read-only)	\??\T:	E_WIN.EXE
File opened (read-only)	\??\Y:	E_WIN.EXE
File opened (read-only)	\??\P:	E_WIN.EXE
File opened (read-only)	\??\V:	E_WIN.EXE
File opened (read-only)	\??\M:	E_WIN.EXE
File opened (read-only)	\??\Q:	E_WIN.EXE
File opened (read-only)	\??\O:	E_WIN.EXE
File opened (read-only)	\??\K:	E_WIN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1764 vssadmin.exe
688 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

E_WIN.EXE

pid process

1968 E_WIN.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PUTTY.EXE

pid process

1260 PUTTY.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1440 vssvc.exe
Token: SeRestorePrivilege 1440 vssvc.exe
Token: SeAuditPrivilege 1440 vssvc.exe

pid	process
1764	vssadmin.exe
688	vssadmin.exe

pid	process
1968	E_WIN.EXE

pid	process
1260	PUTTY.EXE

description	pid	process
Token: SeBackupPrivilege	1440	vssvc.exe
Token: SeRestorePrivilege	1440	vssvc.exe
Token: SeAuditPrivilege	1440	vssvc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exeE_WIN.EXEcmd.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 1968	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2004 wrote to memory of 1968	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2004 wrote to memory of 1968	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2004 wrote to memory of 1968	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2004 wrote to memory of 1260	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	PUTTY.EXE
PID 2004 wrote to memory of 1260	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	PUTTY.EXE
PID 2004 wrote to memory of 1260	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	PUTTY.EXE
PID 2004 wrote to memory of 1260	2004	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	PUTTY.EXE
PID 1968 wrote to memory of 1500	1968	E_WIN.EXE	cmd.exe
PID 1968 wrote to memory of 1500	1968	E_WIN.EXE	cmd.exe
PID 1968 wrote to memory of 1500	1968	E_WIN.EXE	cmd.exe
PID 1968 wrote to memory of 1500	1968	E_WIN.EXE	cmd.exe
PID 1500 wrote to memory of 1764	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 1764	1500	cmd.exe	vssadmin.exe
PID 1500 wrote to memory of 1764	1500	cmd.exe	vssadmin.exe
PID 1968 wrote to memory of 1128	1968	E_WIN.EXE	cmd.exe
PID 1968 wrote to memory of 1128	1968	E_WIN.EXE	cmd.exe
PID 1968 wrote to memory of 1128	1968	E_WIN.EXE	cmd.exe
PID 1968 wrote to memory of 1128	1968	E_WIN.EXE	cmd.exe
PID 1128 wrote to memory of 688	1128	cmd.exe	vssadmin.exe
PID 1128 wrote to memory of 688	1128	cmd.exe	vssadmin.exe
PID 1128 wrote to memory of 688	1128	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
"C:\Users\Admin\AppData\Local\Temp\fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
"C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:688

C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE
"C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
Filesize
92KB

MD5
7cdc8057b3fe13b069b8db93fdde1764

SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE
Filesize
1.4MB

MD5
e32f72e15f78347c51c4ca1b2847f667

SHA1
de8b253c8aee745fdb082fec5ad0618c2e4cdb92

SHA256
341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

SHA512
5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

Download Submit
\Users\Admin\AppData\Local\Temp\E_WIN.EXE
Filesize
92KB

MD5
7cdc8057b3fe13b069b8db93fdde1764

SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

Download Submit
\Users\Admin\AppData\Local\Temp\E_WIN.EXE
Filesize
92KB

MD5
7cdc8057b3fe13b069b8db93fdde1764

SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

Download Submit
\Users\Admin\AppData\Local\Temp\PUTTY.EXE
Filesize
1.4MB

MD5
e32f72e15f78347c51c4ca1b2847f667

SHA1
de8b253c8aee745fdb082fec5ad0618c2e4cdb92

SHA256
341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

SHA512
5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

Download Submit
\Users\Admin\AppData\Local\Temp\PUTTY.EXE
Filesize
1.4MB

MD5
e32f72e15f78347c51c4ca1b2847f667

SHA1
de8b253c8aee745fdb082fec5ad0618c2e4cdb92

SHA256
341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

SHA512
5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

Download Submit
\Users\Admin\AppData\Local\Temp\PUTTY.EXE
Filesize
1.4MB

MD5
e32f72e15f78347c51c4ca1b2847f667

SHA1
de8b253c8aee745fdb082fec5ad0618c2e4cdb92

SHA256
341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

SHA512
5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

Download Submit
memory/688-70-0x0000000000000000-mapping.dmp

Download
memory/1128-69-0x0000000000000000-mapping.dmp

Download
memory/1260-64-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1260-62-0x0000000000000000-mapping.dmp

Download
memory/1500-67-0x0000000000000000-mapping.dmp

Download
memory/1764-68-0x0000000000000000-mapping.dmp

Download
memory/1968-66-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-57-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads