Analysis

  • max time kernel
    39s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • submitted
    16-07-2022 16:53

General

  • Target

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe

  • Size

    92KB

  • MD5

    7cdc8057b3fe13b069b8db93fdde1764

  • SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

  • SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

  • SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

Score
10/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note ---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkylock@tutanota.com 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

darkylock@tutanota.com

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

  • DarkyLock

    Ransomware family first seen in July 2022.

  • Deletes shadow copies ⋅ 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files ⋅ 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives ⋅ 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies ⋅ 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe
    "C:\Users\Admin\AppData\Local\Temp\393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c.exe"
    Modifies extensions of user files
    Enumerates connected drives
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:1160
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      Suspicious use of WriteProcessMemory
      PID:976
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        Interacts with shadow copies
        PID:1324
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:472

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • memory/976-58-0x0000000000000000-mapping.dmp
                    • memory/1160-57-0x0000000000000000-mapping.dmp
                    • memory/1232-56-0x0000000000000000-mapping.dmp
                    • memory/1324-59-0x0000000000000000-mapping.dmp
                    • memory/1968-54-0x00000000754D1000-0x00000000754D3000-memory.dmp
                    • memory/1968-55-0x0000000000400000-0x000000000041B000-memory.dmp