General
-
Target
E_WIN.bin
-
Size
92KB
-
Sample
221116-wpx6jsgc41
-
MD5
7cdc8057b3fe13b069b8db93fdde1764
-
SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb
-
SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c
-
SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801
-
SSDEEP
1536:y8JknEUnj2zfGN2/PEiTsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2XsfzK7g:ynlnj2S+hTsrQLOJgY8Zp8LHD4XWaNHY
Static task
static1
Behavioral task
behavioral1
Sample
E_WIN.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
E_WIN.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
Path |
C:\Restore-My-Files.txt |
Family |
darkylock |
Ransom Note | ---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkylock@tutanota.com 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!! |
Emails |
darkylock@tutanota.com |
Wallets |
1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i |
Targets
-
-
Target
E_WIN.bin
-
Size
92KB
-
MD5
7cdc8057b3fe13b069b8db93fdde1764
-
SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb
-
SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c
-
SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801
-
SSDEEP
1536:y8JknEUnj2zfGN2/PEiTsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2XsfzK7g:ynlnj2S+hTsrQLOJgY8Zp8LHD4XWaNHY
Score10/10-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation