darkside | 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

General

Target

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Size

56KB
MD5

84c1567969b86089cc33dccf41562bcd
SHA1

53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
SHA256

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA512

72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa
SSDEEP

768:AiN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy81XweyetnR9Wsf5AyT9G3kZ:r4HHerjZX7pLken5nWXWi

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\README.b2100882.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description ioc process

File opened (read-only) \??\F: 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Drops file in System32 directory 12 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\b2100882.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c3edbe74a43298ef0b1487c38d42dd22b37ef4668d06d80269b6de2b7e309b10	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d68af47c38e6f941ef07cb111c7c19050dce49e56c20ac7aecef7f0f125dc0bb	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d35ad43131d3fac02329611052d17ce6045b29ca6b83d7fff3346ec88677f29d	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bb4adf63023ebd39b37042209cb5a2503bf931795f2ebb029a3fea2a8653a8c8	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 40ed9561acefca045b6262974fc198d505febc93f032ca24ccd9b538d354bde8	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a08739a5e92a35512a9229bf92e0423993537953929509100c4584eb0a5d32e1	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9790b165b1ccf96e72d61401ecf6dfb3ebdd47b510e1f9ab018773d8c08ff215	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 680900006544ef5e5851da01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\b2100882.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 11b7327aa36764c27c14c28068d3447872ba3b520a3127c85c5a03ebf9376e67	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 94e3f12e8049c31577379ce83eb0a1254a242cc936c143aac7764a3ca330cd1c	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3e9001e6d0b6c8a54e2aedd404510889ce5b58a7c27f8a89c612b5e475a58bf1	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b2100882	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.b2100882\ = "b2100882"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b2100882\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b2100882	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\b2100882\DefaultIcon\ = "C:\\ProgramData\\b2100882.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

pid	process
2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2408	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2352 vssvc.exe
Token: SeRestorePrivilege 2352 vssvc.exe
Token: SeAuditPrivilege 2352 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2352	vssvc.exe
Token: SeRestorePrivilege	2352	vssvc.exe
Token: SeAuditPrivilege	2352	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	pid	process	target process
PID 2008 wrote to memory of 2284	2008	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2008 wrote to memory of 2284	2008	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2008 wrote to memory of 2284	2008	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2008 wrote to memory of 2284	2008	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2284 wrote to memory of 2408	2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2284 wrote to memory of 2408	2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2284 wrote to memory of 2408	2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2284 wrote to memory of 2904	2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2284 wrote to memory of 2904	2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2284 wrote to memory of 2904	2284	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
  "C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
  2⤵
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
    C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker0 job0-2284
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
    C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker1 job1-2284
    3⤵
    - Enumerates connected drives
    PID:2904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.b2100882.TXT

Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads