Overview

overview

10

Static

static

3

f632dce9c6...8e.exe

windows7-x64

10

f632dce9c6...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f632dce9c6fea6d80521a00fd89bfc7dbeaeb1e66ef680159c2c4209662a5d8e.exe

  • Size

    2.2MB

  • MD5

    99762b33396b8128e6e72fc66a8e8939

  • SHA1

    edb33f83c49268ef604e073d33f358b5b4da60ce

  • SHA256

    f632dce9c6fea6d80521a00fd89bfc7dbeaeb1e66ef680159c2c4209662a5d8e

  • SHA512

    71a5c78519ea6028bfffdb0d1199c36b245a70766e650dcab85b333966b6a66b3a8e1a672eee495a11a9ee5f722e00625e546f6d85b86067a6484ac27e4ed036

  • SSDEEP

    49152:yz+eK5Bhzwrb/TEvO90dL3BmAFd4A64nsfJqyM4w7qLiC/gv4sxZ2EAKEz1q:yz+rzLyM1GLhukEAO

Score
10/10
darksideransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\README.txt

Family

darkside

Ransom Note
WINNER WINNER CHICKEN DINNER What happend? ############################################## All your servers and computers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ############################################## We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one image file for free. The file size should be no more than 2 MB. Contact us by email: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f632dce9c6fea6d80521a00fd89bfc7dbeaeb1e66ef680159c2c4209662a5d8e.exe
    "C:\Users\Admin\AppData\Local\Temp\f632dce9c6fea6d80521a00fd89bfc7dbeaeb1e66ef680159c2c4209662a5d8e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Windows\system32\cipher.exe
      cipher.exe /w:C:\
      2⤵
        PID:4972
      • C:\Windows\system32\cipher.exe
        cipher.exe /w:F:\
        2⤵
        • Enumerates connected drives
        PID:1756
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Downloads\README.txt
        Filesize

        1009B

        MD5

        5f5d5821609d17a014cc9296fad94085

        SHA1

        c1c47a0a209df64d8b5326a993c0fafc8dfa1dad

        SHA256

        2cdb19bf6ca8ac5f13dde100b74e7a0a26a265fd19e8f6102a4c37b585bd6597

        SHA512

        dfd5d831a3b829a2012c241f75040c726acbee481bb3dadf1068ae33f194666d207fbffbc277d70c1dafe96af9219aabf72353d2abf53274b21c3914b1bd3886

        Download Submit