General
-
Target
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e.exe
-
Size
75KB
-
Sample
240726-ge685sshkb
-
MD5
82eab016732be7b8b8aa14f205ca69cf
-
SHA1
818f451044610b1805e4c515d2bf112718fc8125
-
SHA256
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e
-
SHA512
1b87a7b81c1841e6dff89224f386ff52bd752e124e8c1c68e480ba399446404ad29e92172731fccd93e8a89e61f5097c07c9d6e0f41d2131a96d317344343eea
-
SSDEEP
1536:Dx7Fu4/i6/P3rlckx5+R4VDZ5CRGCq2iW7z:F7FujwPblhx1DZ5yGCH
Static task
static1
Behavioral task
behavioral1
Sample
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
C:\Users\Admin\README.b77a682a.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Targets
-
-
Target
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e.exe
-
Size
75KB
-
MD5
82eab016732be7b8b8aa14f205ca69cf
-
SHA1
818f451044610b1805e4c515d2bf112718fc8125
-
SHA256
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e
-
SHA512
1b87a7b81c1841e6dff89224f386ff52bd752e124e8c1c68e480ba399446404ad29e92172731fccd93e8a89e61f5097c07c9d6e0f41d2131a96d317344343eea
-
SSDEEP
1536:Dx7Fu4/i6/P3rlckx5+R4VDZ5CRGCq2iW7z:F7FujwPblhx1DZ5yGCH
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Executes dropped EXE
-
Loads dropped DLL
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1