Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220715-en -
submitted
16-07-2022 16:53
Static task
static1
Behavioral task
behavioral1
Sample
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe
Resource
win10v2004-20220414-en
General
-
Target
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe
-
Size
92KB
-
MD5
7cdc8057b3fe13b069b8db93fdde1764
-
SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb
-
SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c
-
SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801
Malware Config
Extracted
C:\Restore-My-Files.txt
darkylock
1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i
Signatures
-
DarkyLock
Ransomware family first seen in July 2022.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\JoinInitialize.png => C:\Users\Admin\Pictures\JoinInitialize.png.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened for modification C:\Users\Admin\Pictures\JoinInitialize.png.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File renamed C:\Users\Admin\Pictures\ConnectUnprotect.png => C:\Users\Admin\Pictures\ConnectUnprotect.png.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened for modification C:\Users\Admin\Pictures\ConnectUnprotect.png.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File renamed C:\Users\Admin\Pictures\EnterEdit.tif => C:\Users\Admin\Pictures\EnterEdit.tif.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened for modification C:\Users\Admin\Pictures\EnterEdit.tif.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File renamed C:\Users\Admin\Pictures\JoinClear.png => C:\Users\Admin\Pictures\JoinClear.png.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened for modification C:\Users\Admin\Pictures\JoinClear.png.darky 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\T: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\F: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\H: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\Z: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\M: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\Q: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\W: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\I: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\O: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\A: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\G: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\K: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\L: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\X: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\Y: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\P: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\V: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\B: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\E: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\U: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\S: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\J: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe File opened (read-only) \??\N: 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1160 vssadmin.exe 1324 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 472 vssvc.exe Token: SeRestorePrivilege 472 vssvc.exe Token: SeAuditPrivilege 472 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1232 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 27 PID 1968 wrote to memory of 1232 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 27 PID 1968 wrote to memory of 1232 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 27 PID 1968 wrote to memory of 1232 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 27 PID 1232 wrote to memory of 1160 1232 cmd.exe 29 PID 1232 wrote to memory of 1160 1232 cmd.exe 29 PID 1232 wrote to memory of 1160 1232 cmd.exe 29 PID 1968 wrote to memory of 976 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 35 PID 1968 wrote to memory of 976 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 35 PID 1968 wrote to memory of 976 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 35 PID 1968 wrote to memory of 976 1968 393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe 35 PID 976 wrote to memory of 1324 976 cmd.exe 37 PID 976 wrote to memory of 1324 976 cmd.exe 37 PID 976 wrote to memory of 1324 976 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe"C:\Users\Admin\AppData\Local\Temp\393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1324
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:472