General

  • Target

    2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside

  • Size

    147KB

  • Sample

    241216-vzb6dswmht

  • MD5

    2827781d295d54cdb5d199c19aef469d

  • SHA1

    308b01ec5ba7e3283353bb7cdbf85010017f99e8

  • SHA256

    d2468b77968df53b4335668c1a5313dd007d9ab528541bab28f74b4f170988fa

  • SHA512

    4afdcf585fb43e5001c77b50377f1d4c9dc2ab7925dceb1ed552e112bce6ea3ec122d18f3c08efb5a5b2e2b7fbf7cd396e53f025d5e7d5f5f3f7d69b8e73e334

  • SSDEEP

    3072:36glyuxE4GsUPnliByocWepZaGGtgp8FDJ94dElJnxB:36gDBGpvEByocWe2xZFXhbnz

Malware Config

Extracted

Path

C:\FIPNplZX1.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 057A7C74C1AE5F49B05B656D480D0B9B Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2024 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Extracted

Path

C:\FIPNplZX1.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 057A7C74C1AE5F494AF581597CE2AF09 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2024 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Targets

    • Target

      2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside

    • Size

      147KB

    • MD5

      2827781d295d54cdb5d199c19aef469d

    • SHA1

      308b01ec5ba7e3283353bb7cdbf85010017f99e8

    • SHA256

      d2468b77968df53b4335668c1a5313dd007d9ab528541bab28f74b4f170988fa

    • SHA512

      4afdcf585fb43e5001c77b50377f1d4c9dc2ab7925dceb1ed552e112bce6ea3ec122d18f3c08efb5a5b2e2b7fbf7cd396e53f025d5e7d5f5f3f7d69b8e73e334

    • SSDEEP

      3072:36glyuxE4GsUPnliByocWepZaGGtgp8FDJ94dElJnxB:36gDBGpvEByocWe2xZFXhbnz

    • Renames multiple (352) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks