General

  • Target

    2023-05-22_585055d0ab5a7756a8056ae39ffb1292_darkside

  • Size

    146KB

  • Sample

    230523-dp8yyadf27

  • MD5

    585055d0ab5a7756a8056ae39ffb1292

  • SHA1

    50b863d35a7ef90719d43a56a4089971914f0a85

  • SHA256

    734955fdb84b29fa1aa87aa0af2ebf155125917a6b61ffe4b4dc7030dd212309

  • SHA512

    14243b2bc43ff0bc422dc9598982d260e6d9c89608d976df1877c99c674d127108843f089a3935d7aad9e5aae9b47d20dc58bef388d68316a2b4f6846fa83aa7

  • SSDEEP

    3072:16glyuxE4GsUPnliByocWeplOg+rbZYQDfrdR:16gDBGpvEByocWeKgsn

Malware Config

Targets

    • Target

      2023-05-22_585055d0ab5a7756a8056ae39ffb1292_darkside

    • Size

      146KB

    • MD5

      585055d0ab5a7756a8056ae39ffb1292

    • SHA1

      50b863d35a7ef90719d43a56a4089971914f0a85

    • SHA256

      734955fdb84b29fa1aa87aa0af2ebf155125917a6b61ffe4b4dc7030dd212309

    • SHA512

      14243b2bc43ff0bc422dc9598982d260e6d9c89608d976df1877c99c674d127108843f089a3935d7aad9e5aae9b47d20dc58bef388d68316a2b4f6846fa83aa7

    • SSDEEP

      3072:16glyuxE4GsUPnliByocWeplOg+rbZYQDfrdR:16gDBGpvEByocWeKgsn

    • Renames multiple (345) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (623) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks