Overview

overview

10

Static

static

fc28d2eaee...d6.exe

windows7-x64

10

fc28d2eaee...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • submitted
    16-07-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe

  • Size

    1.5MB

  • MD5

    60ed30bea0f9e2db5cc1f45241c7473c

  • SHA1

    62b33edc9682bc780bc68d34ae7b19eaf429e42d

  • SHA256

    fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

  • SHA512

    e746f0e3e37bc1c8d8a30f9e9e01cb0ab3d95e0338a1cfde78f5442b5492c8427addf0e732264fd3b4d775b2c148ba336b0269d4e194a816a97e1bebc57b7802

Score
10/10
darkylockransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note
---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to [email protected] 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

  • DarkyLock

    Ransomware family first seen in July 2022.

    ransomwaredarkylock
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 18 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
    "C:\Users\Admin\AppData\Local\Temp\fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
      "C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1764
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:688
    • C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE
      "C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1260
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1440

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
    Filesize

    92KB

    MD5

    7cdc8057b3fe13b069b8db93fdde1764

    SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

    SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

    SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE
    Filesize

    1.4MB

    MD5

    e32f72e15f78347c51c4ca1b2847f667

    SHA1

    de8b253c8aee745fdb082fec5ad0618c2e4cdb92

    SHA256

    341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

    SHA512

    5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_WIN.EXE
    Filesize

    92KB

    MD5

    7cdc8057b3fe13b069b8db93fdde1764

    SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

    SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

    SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_WIN.EXE
    Filesize

    92KB

    MD5

    7cdc8057b3fe13b069b8db93fdde1764

    SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

    SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

    SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

    Download Submit

  • \Users\Admin\AppData\Local\Temp\PUTTY.EXE
    Filesize

    1.4MB

    MD5

    e32f72e15f78347c51c4ca1b2847f667

    SHA1

    de8b253c8aee745fdb082fec5ad0618c2e4cdb92

    SHA256

    341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

    SHA512

    5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\PUTTY.EXE
    Filesize

    1.4MB

    MD5

    e32f72e15f78347c51c4ca1b2847f667

    SHA1

    de8b253c8aee745fdb082fec5ad0618c2e4cdb92

    SHA256

    341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

    SHA512

    5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\PUTTY.EXE
    Filesize

    1.4MB

    MD5

    e32f72e15f78347c51c4ca1b2847f667

    SHA1

    de8b253c8aee745fdb082fec5ad0618c2e4cdb92

    SHA256

    341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

    SHA512

    5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

    Download Submit

  • memory/688-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1128-69-0x0000000000000000-mapping.dmp

    Download

  • memory/1260-64-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1260-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1500-67-0x0000000000000000-mapping.dmp

    Download

  • memory/1764-68-0x0000000000000000-mapping.dmp

    Download

  • memory/1968-66-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1968-57-0x0000000000000000-mapping.dmp

    Download

  • memory/2004-54-0x00000000765D1000-0x00000000765D3000-memory.dmp

    Filesize

    8KB

    Download