General
-
Target
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe.zip
-
Size
33KB
-
Sample
240409-jplrashh89
-
MD5
d7bf8d0de15e1ba8e6aa23928ec1fc65
-
SHA1
c9ab99c55e6a58e196317bd650937b00e664c8d4
-
SHA256
2d0d2be9dd689d078335f677e1fafdd462179d300f149438d8dc1fdfd91ead1f
-
SHA512
713e112eb4fad675ee845081b1be7c638ec93ae78d35d905cd379c9d8608b1eef44f35027c682651dc60ab3bc60ee9204cad10e053ff7771a540b38ad0c59ee3
-
SSDEEP
768:XMfR2kTUAAVXfbFjxghQ7f/5f2gGyh411/qo0zu3:XFkTuVXjtP7f/AI21SU
Static task
static1
Behavioral task
behavioral1
Sample
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
Resource
win11-20240221-en
Malware Config
Extracted
C:\Recovery\README.5c43cc46.TXT
darkside
http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM
Targets
-
-
Target
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
-
Size
56KB
-
MD5
979692cd7fc638beea6e9d68c752f360
-
SHA1
c511ae4d80aaa281c610190aa13630de61ca714c
-
SHA256
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
-
SHA512
d7b7b6a968e6d7b7f3e7f98decb6b331b08122e491bf0b0dbe243223fb177218a758c34830f20c47f2a799acdd146297ec7f930c2bb4d5c6830ce65c8274ea6d
-
SSDEEP
768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0:g4HHerjZX7pLjJKjSO5i
Score10/10-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-