General

  • Target

    2023-05-26_7ee9a995fa84386e7a8c975719c08892_darkside

  • Size

    146KB

  • Sample

    230527-ddyntsad78

  • MD5

    7ee9a995fa84386e7a8c975719c08892

  • SHA1

    de8ed35009edf0958928c531a9b49e0e1ab25083

  • SHA256

    149d691411f10f8ec7af43f0237ccfab5b65a9ae73718acf1e0cc0dbdea36ebd

  • SHA512

    8cd1a4f589a1e1cc132f06c458af435ec87ab37b04a005c980c59759632b04f329de2c7c80791802dd75fe62e2adf5cea87e555ac1e586da5ee96b6dd392ea76

  • SSDEEP

    3072:I6glyuxE4GsUPnliByocWepfV+oOpy70FcT//3XUJ:I6gDBGpvEByocWepV+qCcDU

Malware Config

Targets

    • Target

      2023-05-26_7ee9a995fa84386e7a8c975719c08892_darkside

    • Size

      146KB

    • MD5

      7ee9a995fa84386e7a8c975719c08892

    • SHA1

      de8ed35009edf0958928c531a9b49e0e1ab25083

    • SHA256

      149d691411f10f8ec7af43f0237ccfab5b65a9ae73718acf1e0cc0dbdea36ebd

    • SHA512

      8cd1a4f589a1e1cc132f06c458af435ec87ab37b04a005c980c59759632b04f329de2c7c80791802dd75fe62e2adf5cea87e555ac1e586da5ee96b6dd392ea76

    • SSDEEP

      3072:I6glyuxE4GsUPnliByocWepfV+oOpy70FcT//3XUJ:I6gDBGpvEByocWepV+qCcDU

    • Renames multiple (336) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (604) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks