Overview

overview

10

Static

static

E_WIN.exe

windows7-x64

10

E_WIN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2022 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E_WIN.exe

  • Size

    92KB

  • MD5

    7cdc8057b3fe13b069b8db93fdde1764

  • SHA1

    8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

  • SHA256

    393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

  • SHA512

    7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

  • SSDEEP

    1536:y8JknEUnj2zfGN2/PEiTsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2XsfzK7g:ynlnj2S+hTsrQLOJgY8Zp8LHD4XWaNHY

Score
10/10
darkylockransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note
---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to [email protected] 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

  • DarkyLock

    Ransomware family first seen in July 2022.

    ransomwaredarkylock
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E_WIN.exe
    "C:\Users\Admin\AppData\Local\Temp\E_WIN.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3328
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1592
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3512
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3548
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Restore-My-Files.txt
      1⤵
        PID:4420

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Downloads\Restore-My-Files.txt
        Filesize

        1011B

        MD5

        ade9f28bd9924b23f0c79700b075605c

        SHA1

        4a5f70f2ffcab05fe529f64f29616fb5f05a473c

        SHA256

        936159b865127ffa36271b2b126bfc0e15b37704f0a22049a1fb2cb4cb1d4f61

        SHA512

        321d7bc07533cbff45a74c8ca588d84335bd478efafc9aa4ff2325e8fc182b0820a6361897cc47fda2faeb15445fac3e1a27ccf88e429fceeb1024a8a873f56a

        Download Submit

      • memory/852-133-0x0000000000000000-mapping.dmp

        Download

      • memory/1592-136-0x0000000000000000-mapping.dmp

        Download

      • memory/3328-134-0x0000000000000000-mapping.dmp

        Download

      • memory/3652-135-0x0000000000000000-mapping.dmp

        Download

      • memory/4616-132-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

        Download