Analysis

  • max time kernel
    51s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 08:23

General

  • Target

    2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

  • Size

    147KB

  • MD5

    1b8977fa6d45aa48c790b038a8696b71

  • SHA1

    6c29c41ca7d413846057b6f32059ca1c714782bb

  • SHA256

    7b0f5d34e8021af4134dbc9b5a0119f8e2acf18ade91c5f2b2fd168daec0027b

  • SHA512

    189080dbc029f333251135bb702b5ecad477f9f9811c2704810e063c64b109fa8d2f5771a41fd286435d9a8ce368c352675971cd2d4d6c1191d9c2980333cebd

  • SSDEEP

    3072:1qJogYkcSNm9V7DtXJqJIw1gUQil+4O6JT:1q2kc4m9tDtXJqJIwll+

Malware Config

Extracted

Path

C:\ashOWYJUH.README.txt

Ransom Note
>>>> You need to contact us soon! Our contact email: [email protected] >>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: D9AC5C30CE91307B21DA852CC5F0868E >>>> All files on your computer have been encrypted. >>>> If you want to recover encrypted files, then contact us soon! >>>> We can decrypt 1-3 files (doc, xls, pdf, txt, jpeg) for free. You can attach them to your email. Databases, archives, backups are decrypted only after payment! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need to contact us soon! Our contact email: [email protected] >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Signatures

  • Renames multiple (616) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\OOOOOOOOOOO

    Filesize

    129B

    MD5

    9c5b5b9ce23b75105e803bf3f00b81a3

    SHA1

    6c3d306e6247b8cb7b8a327ccf47f10c4c5a356c

    SHA256

    ca1122238461b94710d5eb521d8a877b1bdb9e3480905f28c762a9991c604519

    SHA512

    97c1e09fbbd3cd4c96de6013c7fe50101addbe42d32f918dd106697dca2c9b0def475ce1d29e850000de2b8fc39bb4540edb004756f6ee8167f7624f9012d81d

  • C:\ashOWYJUH.README.txt

    Filesize

    1KB

    MD5

    7ec62e633f6c19e4d4c99b63e42096dd

    SHA1

    306ffb0d2786dce3a4bb8188c0221aca517220a3

    SHA256

    76d4778bee2e787530e5ca94f9951fbae4ca63efc491112f6b7a41e5d360b948

    SHA512

    2225ba6455be470b3323a2bcb3e6a5bb9b21e18a977c9bb3b67fd65eb1d10c3c38a55b0e798bbabdd60502f28031cf3d3fb33eec3cce2d512c6b43860500456b

  • F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    fa16359855404a22473ac07eb9461730

    SHA1

    a0e1086400897ecbafa3e041f86c6c64450a7ebf

    SHA256

    bfdd6b056e2a61530a7246f228724954316ce7b7479d24400cf60f843305ccaf

    SHA512

    a964cdd7c24f8c5dc9fcba5beaccbadde5d34f1aea4f81115fa5c8dffa9b072c884f5e298f49ef24836bb0cb60467b17986a981cc1d7632655ae379488d231cb

  • memory/3924-1-0x0000000003070000-0x0000000003080000-memory.dmp

    Filesize

    64KB

  • memory/3924-2-0x0000000003070000-0x0000000003080000-memory.dmp

    Filesize

    64KB

  • memory/3924-0-0x0000000003070000-0x0000000003080000-memory.dmp

    Filesize

    64KB