General

  • Target

    2024-12-13_7089e64c176cdf1938e712196c246bcf_darkside

  • Size

    147KB

  • Sample

    241213-dxdsrsxkez

  • MD5

    7089e64c176cdf1938e712196c246bcf

  • SHA1

    82ca26f593103d27d81460eb144efbccb1533e03

  • SHA256

    222416505b9368d2b6c19b361158dec5bffedacd44afa447c292d4f0b5288f05

  • SHA512

    16f1e1652d0579c59048ce8377eed68013f7edce3ca80418b699152cf69208cd7b8191df06b4ab4c05a2f31d76496bec14c5b3935b30d24104847fb13ceca2a3

  • SSDEEP

    3072:z6glyuxE4GsUPnliByocWepBdmmmuHu7i0XS1:z6gDBGpvEByocWeDdmmmfS1

Malware Config

Extracted

Path

C:\4xdd7DWuD.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: ED132D71CE94E5B81CB5F934BA2D4847 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2024 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Extracted

Path

C:\4xdd7DWuD.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: ED132D71CE94E5B81218FB6EEA0FFECE Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2024 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Targets

    • Target

      2024-12-13_7089e64c176cdf1938e712196c246bcf_darkside

    • Size

      147KB

    • MD5

      7089e64c176cdf1938e712196c246bcf

    • SHA1

      82ca26f593103d27d81460eb144efbccb1533e03

    • SHA256

      222416505b9368d2b6c19b361158dec5bffedacd44afa447c292d4f0b5288f05

    • SHA512

      16f1e1652d0579c59048ce8377eed68013f7edce3ca80418b699152cf69208cd7b8191df06b4ab4c05a2f31d76496bec14c5b3935b30d24104847fb13ceca2a3

    • SSDEEP

      3072:z6glyuxE4GsUPnliByocWepBdmmmuHu7i0XS1:z6gDBGpvEByocWeDdmmmfS1

    • Renames multiple (364) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks