Overview

overview

10

Static

static

3

a48af4ad3e...74.exe

windows7-x64

10

a48af4ad3e...74.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774

  • Size

    166KB

  • Sample

    240728-cx3w8ashrl

  • MD5

    be1c18efa764b1b32421b6beb57cd3e9

  • SHA1

    9fff40b4653ab368e04e398d9c54a1aa3a320d49

  • SHA256

    a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774

  • SHA512

    f35e3f123f4b0378626de52035390d2b8c9cf42f5b1882c66d8a79c58cd798a89506fb402a93a7ceaba1078226d7eba80e9c8a93321fc0a17e4e012fc8b15824

  • SSDEEP

    3072:o/0Lu+FKdYM69P6padn/DDonc8oOgajAnPvNHwcW0m1QTj:o/d+FKdYMQPrdn/HovAnlwx0cC

Score
10/10
darksidecredential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\README.6caf1429.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Targets

    • Target

      a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774

    • Size

      166KB

    • MD5

      be1c18efa764b1b32421b6beb57cd3e9

    • SHA1

      9fff40b4653ab368e04e398d9c54a1aa3a320d49

    • SHA256

      a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774

    • SHA512

      f35e3f123f4b0378626de52035390d2b8c9cf42f5b1882c66d8a79c58cd798a89506fb402a93a7ceaba1078226d7eba80e9c8a93321fc0a17e4e012fc8b15824

    • SSDEEP

      3072:o/0Lu+FKdYM69P6padn/DDonc8oOgajAnPvNHwcW0m1QTj:o/d+FKdYMQPrdn/HovAnlwx0cC

    Score
    10/10
    darksidecredential_accessdiscoveryexecutionransomwarespywarestealer

    • DarkSide

      Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

      ransomwaredarkside

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Renames multiple (172) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks