General

  • Target

    2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside

  • Size

    146KB

  • Sample

    241006-flmyeatapl

  • MD5

    e09dd7cca0c6c147ba21b4062e723c5b

  • SHA1

    ff6333bdda824e4c13bcd13351bd4bb14aaeab11

  • SHA256

    d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88

  • SHA512

    603f45dc0b3302739ef6e4727572ecf64cf6f65c80af1e05aa3795fc9ce36849cf0f465bbf8a9f116c8fb3da8d91998ec5582b24503f4f43764e7b3543a94c4e

  • SSDEEP

    3072:yqJogYkcSNm9V7DNDgSKet5JXglKso1WT:yq2kc4m9tDjlrJX3so

Malware Config

Extracted

Path

C:\fB1SZ2i3X.README.txt

Ransom Note
>>>> Your data are stolen and encrypted! >>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... You can request the tree of files that we have. >>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat: >>>> Your personal DECRYPTION ID: 7FBC34A4128F7B758BE867DB7880E1B9 1)Download and install TOX chat: https://tox.chat 2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you. >>>> DO NOT MODIFY FILES YOURSELF. >>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. >>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
URLs

https://tox.chat

Extracted

Path

C:\fB1SZ2i3X.README.txt

Ransom Note
>>>> Your data are stolen and encrypted! >>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... You can request the tree of files that we have. >>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat: >>>> Your personal DECRYPTION ID: 7FBC34A4128F7B756951645128A273D7 1)Download and install TOX chat: https://tox.chat 2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you. >>>> DO NOT MODIFY FILES YOURSELF. >>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. >>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
URLs

https://tox.chat

Targets

    • Target

      2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside

    • Size

      146KB

    • MD5

      e09dd7cca0c6c147ba21b4062e723c5b

    • SHA1

      ff6333bdda824e4c13bcd13351bd4bb14aaeab11

    • SHA256

      d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88

    • SHA512

      603f45dc0b3302739ef6e4727572ecf64cf6f65c80af1e05aa3795fc9ce36849cf0f465bbf8a9f116c8fb3da8d91998ec5582b24503f4f43764e7b3543a94c4e

    • SSDEEP

      3072:yqJogYkcSNm9V7DNDgSKet5JXglKso1WT:yq2kc4m9tDjlrJX3so

    • Renames multiple (337) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks