General

  • Target

    2023-05-25_d8018c533bddc9a7c70e9a1b7cceaffc_darkside

  • Size

    147KB

  • Sample

    230527-c3mr7aaf2s

  • MD5

    d8018c533bddc9a7c70e9a1b7cceaffc

  • SHA1

    b48062131daa8a084919771c3b1fb2cab54dfa2e

  • SHA256

    cb83eb6f5fd42f59b1c1a34826df48e5a5882c45e4a7f34c80c0830c26cb30dd

  • SHA512

    23e723b9e19ebc5da100528cdec8ed971713d19144053fa236db373a0dac36a643d78cfc674620693374f585264b6d71821c6a1cdb16fb970fbe6a5fba16e852

  • SSDEEP

    1536:MzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRokw1QoYH7xeall66DhAEqoUyz:jqJogYkcSNm9V7DTkUl6kA9oT

Malware Config

Extracted

Path

C:\q9ziivUR8.README.txt

Ransom Note
=============================================================================== |!| ALL YOUR FILES HAVE BEEN LOCKED |!| =============================================================================== # What happened? Your files now is encrypted, eg document, photos, and spreadsheet # Why me? This is not an personal attack, just blame your security provider or network admin, LOL # What should I do? Pay for decryptor or you can pay for decryption, we will decrypt it and send it to you after the payment is settled down. Once the payment has been made, we'll follow up with a transaction to the same address, this transaction include file or decryptor we've promised as a part of the transaction. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! For the futher negotiation, you can reach us by > tox id FCE769C4BBC00B8ED0C91264B7D29FD0CF9A3AF22C12AEB1ACFEF4A970B6993CE4B6165CFB3E

Targets

    • Target

      2023-05-25_d8018c533bddc9a7c70e9a1b7cceaffc_darkside

    • Size

      147KB

    • MD5

      d8018c533bddc9a7c70e9a1b7cceaffc

    • SHA1

      b48062131daa8a084919771c3b1fb2cab54dfa2e

    • SHA256

      cb83eb6f5fd42f59b1c1a34826df48e5a5882c45e4a7f34c80c0830c26cb30dd

    • SHA512

      23e723b9e19ebc5da100528cdec8ed971713d19144053fa236db373a0dac36a643d78cfc674620693374f585264b6d71821c6a1cdb16fb970fbe6a5fba16e852

    • SSDEEP

      1536:MzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRokw1QoYH7xeall66DhAEqoUyz:jqJogYkcSNm9V7DTkUl6kA9oT

    • Renames multiple (324) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (606) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks