General

  • Target

    2023-05-29_f9e0a7bba7c83ccb3006ecd0e9111ab4_darkside

  • Size

    146KB

  • Sample

    230530-msna3shb56

  • MD5

    f9e0a7bba7c83ccb3006ecd0e9111ab4

  • SHA1

    59b9f82ccad40bae1c9a98d6eb42a4adb0d45817

  • SHA256

    4d0f95028bb6a04e64550872ddeef6b0c6fa4a5bd368736da47401420df2bee7

  • SHA512

    1df47dfe924b4cc264d40f6b723e7f8d18f5290b107329985b66eaacaa0bda861e3e06f0189338455293b57dd9d2ab5b63336631bd19917bdd2f9e5706b40057

  • SSDEEP

    3072:P6glyuxE4GsUPnliByocWeph5t+ASsSkmbz:P6gDBGpvEByocWejCASscz

Malware Config

Targets

    • Target

      2023-05-29_f9e0a7bba7c83ccb3006ecd0e9111ab4_darkside

    • Size

      146KB

    • MD5

      f9e0a7bba7c83ccb3006ecd0e9111ab4

    • SHA1

      59b9f82ccad40bae1c9a98d6eb42a4adb0d45817

    • SHA256

      4d0f95028bb6a04e64550872ddeef6b0c6fa4a5bd368736da47401420df2bee7

    • SHA512

      1df47dfe924b4cc264d40f6b723e7f8d18f5290b107329985b66eaacaa0bda861e3e06f0189338455293b57dd9d2ab5b63336631bd19917bdd2f9e5706b40057

    • SSDEEP

      3072:P6glyuxE4GsUPnliByocWeph5t+ASsSkmbz:P6gDBGpvEByocWejCASscz

    • Renames multiple (346) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (620) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks