General

  • Target

    2024-11-15_926a2354fc5ad73582eb89b5e07fe584_darkside

  • Size

    146KB

  • Sample

    241115-bfwadazlaj

  • MD5

    926a2354fc5ad73582eb89b5e07fe584

  • SHA1

    f86cf3c2f92a51de9c05325b55bb509cb2ae9473

  • SHA256

    13d491eb547934d35ddca196341067007134568e591751994cd4f4057e0718ad

  • SHA512

    c8972c2144b7dff9a19a5ddc84135896afd03172c9fca5bef47367d11236c4ab068b6aa0183b3200fae8a54fae87f77e8c3253613ce13b932d03c59774785b2d

  • SSDEEP

    1536:YzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRwEWZjirMqOpdLA33Uyz:HqJogYkcSNm9V7DRwEWZWIqOzL63T

Malware Config

Extracted

Path

C:\OYJFoF4Sh.README.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at telegram first . if you don't get answer in 24 hours then write us a email Contact information : Mail 1 : [email protected] Telegram: https://t.me/Datacentric_Support You will receive btc address for payment in the reply letter No system is safe!
URLs

https://t.me/Datacentric_Support

Targets

    • Target

      2024-11-15_926a2354fc5ad73582eb89b5e07fe584_darkside

    • Size

      146KB

    • MD5

      926a2354fc5ad73582eb89b5e07fe584

    • SHA1

      f86cf3c2f92a51de9c05325b55bb509cb2ae9473

    • SHA256

      13d491eb547934d35ddca196341067007134568e591751994cd4f4057e0718ad

    • SHA512

      c8972c2144b7dff9a19a5ddc84135896afd03172c9fca5bef47367d11236c4ab068b6aa0183b3200fae8a54fae87f77e8c3253613ce13b932d03c59774785b2d

    • SSDEEP

      1536:YzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRwEWZjirMqOpdLA33Uyz:HqJogYkcSNm9V7DRwEWZWIqOzL63T

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (7756) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks