Analysis

  • max time kernel
    44s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16-11-2022 18:06

General

  • Target

    E_WIN.exe

  • Size

    92KB

  • MD5

    7cdc8057b3fe13b069b8db93fdde1764

  • SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

  • SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

  • SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

  • SSDEEP

    1536:y8JknEUnj2zfGN2/PEiTsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2XsfzK7g:ynlnj2S+hTsrQLOJgY8Zp8LHD4XWaNHY

Score
10/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note
---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to darkylock@tutanota.com 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Emails

darkylock@tutanota.com

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

  • DarkyLock

    Ransomware family first seen in July 2022.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E_WIN.exe
    "C:\Users\Admin\AppData\Local\Temp\E_WIN.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1704
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:460
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/460-59-0x0000000000000000-mapping.dmp
  • memory/968-54-0x0000000075921000-0x0000000075923000-memory.dmp
    Filesize

    8KB

  • memory/968-55-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/996-56-0x0000000000000000-mapping.dmp
  • memory/1704-57-0x0000000000000000-mapping.dmp
  • memory/1920-58-0x0000000000000000-mapping.dmp