darkside | 0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Size

56KB
MD5

84c1567969b86089cc33dccf41562bcd
SHA1

53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
SHA256

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA512

72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa
SSDEEP

768:AiN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy81XweyetnR9Wsf5AyT9G3kZ:r4HHerjZX7pLken5nWXWi

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\README.b2100882.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description ioc process

File opened (read-only) \??\F: 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Drops file in System32 directory 12 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\b2100882.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 3904bee23392a4b7db0b21d2f3054646d7610e1e7053cd3a4e14e77468626810	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0e365debbaf99c292909a69d281f155eec44b15bd30b8f0bcc937badf61f15ec	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = d496730335297ed303fc6b23c65c6459444fb5e7b4ecb33341e1cbaff0b6ce5d	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3c73fc9c62bed4c9491c5308fae9dee4e07401394466617b0c9c3e8f45ae2ce3	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = eefcb0da3a5962ee6294106d32db7aba64e564e3f797cf4b3a7bbe9bc81cc14d	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = eb867e3916df33185a4cd7534febc9e93c59a7193c6f410daff007cfd9025052	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 513d8632dac3fa748b48de18b30512760f92f5df25ff81b31fcff882f23d0ab5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 740b000068120e5c5851da01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cbc8852271239ed02cd16d4d77f3a219261fa2443b78729f0757710349f0dfc1	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = b1bb72827700a1a13645e064f1d14c3322b42beaa67b095cf90d0afc639fbf6e	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 76d7540ab4350842991a54227152074d21b05083a3c6a4c06711dd00ea598d8d	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\b2100882.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b2100882	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.b2100882\ = "b2100882"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b2100882\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b2100882	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\b2100882\DefaultIcon\ = "C:\\ProgramData\\b2100882.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

pid	process
3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2932	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2224 vssvc.exe
Token: SeRestorePrivilege 2224 vssvc.exe
Token: SeAuditPrivilege 2224 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2224	vssvc.exe
Token: SeRestorePrivilege	2224	vssvc.exe
Token: SeAuditPrivilege	2224	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	pid	process	target process
PID 2680 wrote to memory of 3068	2680		516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2680 wrote to memory of 3068	2680		516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2680 wrote to memory of 3068	2680		516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2680 wrote to memory of 3068	2680		516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 3068 wrote to memory of 2932	3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 3068 wrote to memory of 2932	3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 3068 wrote to memory of 2932	3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 3068 wrote to memory of 1688	3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 3068 wrote to memory of 1688	3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 3068 wrote to memory of 1688	3068	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
2⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker0 job0-3068
3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker1 job1-3068
3⤵
- Enumerates connected drives
PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.b2100882.TXT
Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit