darkylock | fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6

General

Target

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
Size

1.5MB
MD5

60ed30bea0f9e2db5cc1f45241c7473c
SHA1

62b33edc9682bc780bc68d34ae7b19eaf429e42d
SHA256

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6
SHA512

e746f0e3e37bc1c8d8a30f9e9e01cb0ab3d95e0338a1cfde78f5442b5492c8427addf0e732264fd3b4d775b2c148ba336b0269d4e194a816a97e1bebc57b7802
SSDEEP

49152:Dn3kKc0rJdjgqsLqf3ZfM0Pa5kLLcatsXkjbGDGe0VM:D3k1nkLiDxL

Score

10^/10

darkylock ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

darkylock

Ransom Note

---------- Hello ----------- ***WELCOME TO DARKY LOCK *** Your computers and servers are encrypted, and backups are deleted. We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation. The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network. Follow our instructions below, and you will recover all your data: 1) Pay 0.005 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i 2) Send us message with transaction id to [email protected] 3) Launch decrypt_bit.exe, which our support will send you through email What guarantees? ------------------ We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is tested by time and will decrypt all your data. ------------------ !!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!

Emails

[email protected]

Wallets

1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i

Signatures

DarkyLock
Ransomware family first seen in July 2022.
ransomware darkylock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

E_WIN.EXEPUTTY.EXE

pid process

1776 E_WIN.EXE
2844 PUTTY.EXE

pid	process
1776	E_WIN.EXE
2844	PUTTY.EXE

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

E_WIN.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RedoSwitch.tiff	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\ResetGet.png => C:\Users\Admin\Pictures\ResetGet.png.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\StopCompare.png.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\RedoSwitch.tiff.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\StopCompare.png => C:\Users\Admin\Pictures\StopCompare.png.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\ImportPop.crw => C:\Users\Admin\Pictures\ImportPop.crw.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\ImportPop.crw.darky	E_WIN.EXE
File renamed	C:\Users\Admin\Pictures\RedoSwitch.tiff => C:\Users\Admin\Pictures\RedoSwitch.tiff.darky	E_WIN.EXE
File opened for modification	C:\Users\Admin\Pictures\ResetGet.png.darky	E_WIN.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E_WIN.EXEfc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	E_WIN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

E_WIN.EXE

description	ioc	process
File opened (read-only)	\??\Q:	E_WIN.EXE
File opened (read-only)	\??\I:	E_WIN.EXE
File opened (read-only)	\??\P:	E_WIN.EXE
File opened (read-only)	\??\L:	E_WIN.EXE
File opened (read-only)	\??\X:	E_WIN.EXE
File opened (read-only)	\??\V:	E_WIN.EXE
File opened (read-only)	\??\R:	E_WIN.EXE
File opened (read-only)	\??\F:	E_WIN.EXE
File opened (read-only)	\??\G:	E_WIN.EXE
File opened (read-only)	\??\H:	E_WIN.EXE
File opened (read-only)	\??\N:	E_WIN.EXE
File opened (read-only)	\??\M:	E_WIN.EXE
File opened (read-only)	\??\T:	E_WIN.EXE
File opened (read-only)	\??\U:	E_WIN.EXE
File opened (read-only)	\??\O:	E_WIN.EXE
File opened (read-only)	\??\A:	E_WIN.EXE
File opened (read-only)	\??\S:	E_WIN.EXE
File opened (read-only)	\??\J:	E_WIN.EXE
File opened (read-only)	\??\W:	E_WIN.EXE
File opened (read-only)	\??\E:	E_WIN.EXE
File opened (read-only)	\??\Y:	E_WIN.EXE
File opened (read-only)	\??\K:	E_WIN.EXE
File opened (read-only)	\??\Z:	E_WIN.EXE
File opened (read-only)	\??\B:	E_WIN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4848 vssadmin.exe
1612 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

E_WIN.EXE

pid process

1776 E_WIN.EXE
1776 E_WIN.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PUTTY.EXE

pid process

2844 PUTTY.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2312 vssvc.exe
Token: SeRestorePrivilege 2312 vssvc.exe
Token: SeAuditPrivilege 2312 vssvc.exe

pid	process
4848	vssadmin.exe
1612	vssadmin.exe

pid	process
1776	E_WIN.EXE
1776	E_WIN.EXE

pid	process
2844	PUTTY.EXE

description	pid	process
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exeE_WIN.EXEcmd.execmd.exe

description	pid	process	target process
PID 2672 wrote to memory of 1776	2672	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2672 wrote to memory of 1776	2672	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2672 wrote to memory of 1776	2672	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	E_WIN.EXE
PID 2672 wrote to memory of 2844	2672	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	PUTTY.EXE
PID 2672 wrote to memory of 2844	2672	fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe	PUTTY.EXE
PID 1776 wrote to memory of 1264	1776	E_WIN.EXE	cmd.exe
PID 1776 wrote to memory of 1264	1776	E_WIN.EXE	cmd.exe
PID 1264 wrote to memory of 4848	1264	cmd.exe	vssadmin.exe
PID 1264 wrote to memory of 4848	1264	cmd.exe	vssadmin.exe
PID 1776 wrote to memory of 4644	1776	E_WIN.EXE	cmd.exe
PID 1776 wrote to memory of 4644	1776	E_WIN.EXE	cmd.exe
PID 4644 wrote to memory of 1612	4644	cmd.exe	vssadmin.exe
PID 4644 wrote to memory of 1612	4644	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe
"C:\Users\Admin\AppData\Local\Temp\fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
  "C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1612
- C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE
  "C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

Filesize
92KB

MD5
7cdc8057b3fe13b069b8db93fdde1764

SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

Filesize
92KB

MD5
7cdc8057b3fe13b069b8db93fdde1764

SHA1
8ddd3c69fe3935e4903a2b397bc6f0de772a1bcb

SHA256
393a7a313548a4edc025fb47c6c8e614ecc2b41db880ecb59f20cf238e9a864c

SHA512
7a7778b03a681bad08722019d27c2ca56609cbe6ec6e976b2d08e402b7ec5f2c7ad7d935632c0958b15b42d3dd066b1bd03707a778d77592a29b92adae684801

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE

Filesize
1.4MB

MD5
e32f72e15f78347c51c4ca1b2847f667

SHA1
de8b253c8aee745fdb082fec5ad0618c2e4cdb92

SHA256
341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

SHA512
5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUTTY.EXE

Filesize
1.4MB

MD5
e32f72e15f78347c51c4ca1b2847f667

SHA1
de8b253c8aee745fdb082fec5ad0618c2e4cdb92

SHA256
341cb4515476007153b7f17212f5e4476852837a031efedd5a4adea723c0bcbe

SHA512
5e920453f6fb39b6da4020e803e94b997a4bbc71d5455d0717cea6673864dadc19d66971af9d2ce835b080da41b800e90778384c7799a6f9ac15a840cf4977e5

Download Submit
memory/1264-139-0x0000000000000000-mapping.dmp

Download
memory/1612-142-0x0000000000000000-mapping.dmp

Download
memory/1776-132-0x0000000000000000-mapping.dmp

Download
memory/1776-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2844-135-0x0000000000000000-mapping.dmp

Download
memory/4644-141-0x0000000000000000-mapping.dmp

Download
memory/4848-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads