General

  • Target

    2023-05-26_c5ee09c97bf40c412c0af88d1c24e12c_darkside

  • Size

    146KB

  • Sample

    230527-derlxaag41

  • MD5

    c5ee09c97bf40c412c0af88d1c24e12c

  • SHA1

    ba1caedb0237c28d986c40af5a3f289bb3190891

  • SHA256

    48a0366841e2f59b533510f532b220458d3fd489efc4b71d00d2b9429b292fb9

  • SHA512

    a0d7b482f391a01b82cf42fc9cd4bbdd42f11352b90ed41e4e693dfefe9723b8f198822d45194643da498e878d15eaa217b7170298b3d4676082266a63978432

  • SSDEEP

    1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDsJOR0GgNWMwFcPBAtrPjYV/iUk:mqJogYkcSNm9V7DsUR0Gsce4DUZiT

Malware Config

Extracted

Path

C:\Users\Admin\M3bz9xyxk.README.txt

Ransom Note
All your files are encrypted!!! You will not be able to decrypt on your own! The only way to recover your files is to get a decryptor and a unique decryption key. Only with the help of a decryptor you can return all your data to its original state. To make sure we have a decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But that file doesn't have to be valuable! Are you sure you want to recover the files? Telegram: @unl0king https://t.me/unl0king Email: [email protected] Warning. * Do not rename encrypted files. * Do not try to decrypt data with third-party software, it may cause irreversible data loss. Your personal decryption ID: 79BB7A1FA31333E9128169549F691331
URLs

https://t.me/unl0king

Extracted

Path

C:\M3bz9xyxk.README.txt

Ransom Note
All your files are encrypted!!! You will not be able to decrypt on your own! The only way to recover your files is to get a decryptor and a unique decryption key. Only with the help of a decryptor you can return all your data to its original state. To make sure we have a decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But that file doesn't have to be valuable! Are you sure you want to recover the files? Telegram: @unl0king https://t.me/unl0king Email: [email protected] Warning. * Do not rename encrypted files. * Do not try to decrypt data with third-party software, it may cause irreversible data loss. Your personal decryption ID: 79BB7A1FA31333E900563EB76901872F
URLs

https://t.me/unl0king

Targets

    • Target

      2023-05-26_c5ee09c97bf40c412c0af88d1c24e12c_darkside

    • Size

      146KB

    • MD5

      c5ee09c97bf40c412c0af88d1c24e12c

    • SHA1

      ba1caedb0237c28d986c40af5a3f289bb3190891

    • SHA256

      48a0366841e2f59b533510f532b220458d3fd489efc4b71d00d2b9429b292fb9

    • SHA512

      a0d7b482f391a01b82cf42fc9cd4bbdd42f11352b90ed41e4e693dfefe9723b8f198822d45194643da498e878d15eaa217b7170298b3d4676082266a63978432

    • SSDEEP

      1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDsJOR0GgNWMwFcPBAtrPjYV/iUk:mqJogYkcSNm9V7DsUR0Gsce4DUZiT

    • Renames multiple (366) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (634) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks