General

  • Target

    2024-12-11_af1398f1ed01ca6264103405691c1eb7_darkside

  • Size

    147KB

  • Sample

    241211-dygwtaymgp

  • MD5

    af1398f1ed01ca6264103405691c1eb7

  • SHA1

    faa0ca77538c07e98ab62c68e12f477cfe319cb0

  • SHA256

    8e26b0b429c46d959aa0193685bdbe0ed0ff19a3a5bd316e976a99084d800bae

  • SHA512

    8b1ccc69a04123f535460729d4632c3120f298eb8c2fe4fcc2a914a9fdf9cc715bb54633248e9118dff3241469afdaa3f698317b4501a34f47541705ab049943

  • SSDEEP

    1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDnSlfefmViaPukTQfxeK1FqGa1v:mqJogYkcSNm9V7DnYWfiiarTmKDmOHT

Malware Config

Extracted

Path

C:\1lGbHM0Gk.README.txt

Ransom Note
-------------YOUR DATA IS ENCRYPTED! -------------------- >>>> Write us to the e-mail and ask how to decrypt files: [email protected] >>>> Your personal DECRYPTION ID: 354FEE4 Unlocking your data is possible only with our software. All your files were encrypted and important data was copied to our storage If you want to recover files, contact the operator in the TOX application, enter YOUR ID 354FEE4 Add the ID 21402979683F7B36CF675B23D49021C26074512599459413C7FD573052A9902383D8957302CD of your personal operator as a friend so that you can start chatting. If the Operator did not respond within 24 hours or encountered any problem then send an email to our support [email protected] In the header of the letter, indicate your ID and attach 2-3 infected files to generate a private key and compile the decryptor Files should not have important information and should not exceed the size of more than 5 MB After receiving the ransom, we will send a recovery tool with detailed instructions within an hour and delete your files from our storages --------- Attention --------- Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. If you refuse to pay the ransom, Important Data that contains personal confidential information or trade secrets will be sold to third parties interested in them. In any case, we will receive a payment, and your company will face problems in law enforcement and judicial areas. >>>>>Don't be afraid to contact us. Remember, this is the only way to recover your data.<<<<<<

Targets

    • Target

      2024-12-11_af1398f1ed01ca6264103405691c1eb7_darkside

    • Size

      147KB

    • MD5

      af1398f1ed01ca6264103405691c1eb7

    • SHA1

      faa0ca77538c07e98ab62c68e12f477cfe319cb0

    • SHA256

      8e26b0b429c46d959aa0193685bdbe0ed0ff19a3a5bd316e976a99084d800bae

    • SHA512

      8b1ccc69a04123f535460729d4632c3120f298eb8c2fe4fcc2a914a9fdf9cc715bb54633248e9118dff3241469afdaa3f698317b4501a34f47541705ab049943

    • SSDEEP

      1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDnSlfefmViaPukTQfxeK1FqGa1v:mqJogYkcSNm9V7DnYWfiiarTmKDmOHT

    • Renames multiple (327) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks