darkside | 2de09a815efcc64810046de69b8e0aa1c9e9beee77b66560a0b15d737485e3c5

General

Target

9b5350dd_by_Libranalysis.exe
Size

56KB
MD5

9b5350ddf895a5051b90a1cc563753df
SHA1

0e45a5f66f5ce300b8c7135450e76afaccc0d332
SHA256

2de09a815efcc64810046de69b8e0aa1c9e9beee77b66560a0b15d737485e3c5
SHA512

b96a1d383ca4721e3a0481399eb6dee0c1573e1c07140b7ec57c808b89cc6790937e6a7d49c960639a79c5a1bf1595e05834c6ae42c1c6933d2537fb38eaa190

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\\README.aeef1a75.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/1SJ1TB6JTW4SEUG6GSN7IVSGERSM5H5M2VZOHQ4PSIVS2AGAQDMT3QVGIFMPM3K8 When you open our website, put the following data in the input form: Key: AEGQm0LSuziR6EFXhFWkm5ydHaVo055sxu90K4t2AwMEvOOqRnLk2MlrKgFxhdHfhYMBZ4qnbFVahkmyigl0bCvC8FPE7bcvjvpKgCi60TIIQwRiWAf2wTvA49hUnvV1rt9jkvfcoUvFA6Lehz75q75pr8afu7awEM4TWJrpGoyrJMmb38VEB4SL1U5CcAIo1NirjYoAajFEXB7ibtzv8sRMJMJYK0VgydH2mvnHGmk8iArP8jyH0zVMosuhPKJUkHzUk7kJ2TamCDFDtw0XPm5a4Uz7ug3GKyAeivQwvm1pSW7HODKDPOgZatREFUc6fl55ae3eAo986ywXejXmcvmEz0CCUsbRJM1byvbd0J0AuJeDJ6PshlqqvTs9tqsgZ1cs1MHtizENUPNb05Q131pGkuYSEXOCJHQy6xnswVkd2nWwHPpHAq0Y1P3dlCO2KZL76jdxnM4SNIC9nPjdBxkp0E8fHGpyb0rqgjlgyvvZBPxgktI1jPIfKe9fVDGfTzFZIRWabA6CIyiAjXu14Q4Z1raKZb6ntqxAumNUZ2iLeUXWo5jQcMD !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/1SJ1TB6JTW4SEUG6GSN7IVSGERSM5H5M2VZOHQ4PSIVS2AGAQDMT3QVGIFMPM3K8

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9b5350dd_by_libranalysis.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BackupStop.raw => C:\Users\Admin\Pictures\BackupStop.raw.aeef1a75	9b5350dd_by_libranalysis.exe
File opened for modification	C:\Users\Admin\Pictures\BackupStop.raw.aeef1a75	9b5350dd_by_libranalysis.exe
File renamed	C:\Users\Admin\Pictures\SelectMeasure.crw => C:\Users\Admin\Pictures\SelectMeasure.crw.aeef1a75	9b5350dd_by_libranalysis.exe
File opened for modification	C:\Users\Admin\Pictures\SelectMeasure.crw.aeef1a75	9b5350dd_by_libranalysis.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

9b5350dd_by_Libranalysis.exe9b5350dd_by_libranalysis.exe

description ioc process

File opened (read-only) \??\Z: 9b5350dd_by_Libranalysis.exe
File opened (read-only) \??\Z: 9b5350dd_by_libranalysis.exe

description	ioc	process
File opened (read-only)	\??\Z:	9b5350dd_by_Libranalysis.exe
File opened (read-only)	\??\Z:	9b5350dd_by_libranalysis.exe

Drops file in System32 directory 5 IoCs

Processes:

9b5350dd_by_Libranalysis.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	9b5350dd_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	9b5350dd_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	9b5350dd_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	9b5350dd_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	9b5350dd_by_Libranalysis.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

9b5350dd_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\aeef1a75.BMP"	9b5350dd_by_Libranalysis.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

9b5350dd_by_Libranalysis.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	9b5350dd_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10"	9b5350dd_by_Libranalysis.exe

Modifies data under HKEY_USERS 29 IoCs

Processes:

9b5350dd_by_libranalysis.exe9b5350dd_by_Libranalysis.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 28e1d0ea387c59ed0a62f02c960afd841c6288b102d719fa1f7ca223b6d635db	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 8ce110ac2df5984dcb4af59e8ca95fe2877b249028d541b8e9f7fe2cb690c4b9	9b5350dd_by_libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	9b5350dd_by_libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	9b5350dd_by_Libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = fb948d709a95cda61386225b4040ebdc575f2caca4234e145bc5426cc2033f43	9b5350dd_by_libranalysis.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	9b5350dd_by_Libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	9b5350dd_by_Libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	9b5350dd_by_Libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1ece2e0c8a289314f80d8c9e6fdca7c83e1239bdb10103ec80c8d5b78061589c	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	9b5350dd_by_libranalysis.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	9b5350dd_by_Libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 740a0000babb3aaf964cd701	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0c8f5586fb0cc8f50a2d1d859a9ac5f05b5d2f9d39a6d82792052dd35dfbf8dc	9b5350dd_by_libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	9b5350dd_by_Libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6f96001e5e8dcce4268e8c8b47523192110d12504c945ff3592e0da65baccf38	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5962cf2b75a087d79b8fca98d6c27f3ae918c2a78cf2db44f0a2265e7ed850ae	9b5350dd_by_libranalysis.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\aeef1a75.BMP"	9b5350dd_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	9b5350dd_by_Libranalysis.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	9b5350dd_by_Libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	9b5350dd_by_libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	9b5350dd_by_Libranalysis.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	9b5350dd_by_libranalysis.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	9b5350dd_by_libranalysis.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c1a53f7940c0cb79cc59cc96ab8396e5b921caf61356c66929b9705663208d97	9b5350dd_by_libranalysis.exe

Modifies registry class 5 IoCs

Processes:

9b5350dd_by_Libranalysis.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75	9b5350dd_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon\ = "C:\\ProgramData\\aeef1a75.ico"	9b5350dd_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75	9b5350dd_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75\ = "aeef1a75"	9b5350dd_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon	9b5350dd_by_Libranalysis.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

9b5350dd_by_Libranalysis.exe9b5350dd_by_libranalysis.exe

pid	process
1072	9b5350dd_by_Libranalysis.exe
1072	9b5350dd_by_Libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe
2676	9b5350dd_by_libranalysis.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1592 vssvc.exe
Token: SeRestorePrivilege 1592 vssvc.exe
Token: SeAuditPrivilege 1592 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1592	vssvc.exe
Token: SeRestorePrivilege	1592	vssvc.exe
Token: SeAuditPrivilege	1592	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9b5350dd_by_Libranalysis.exe9b5350dd_by_Libranalysis.exe

description	pid	process	target process
PID 204 wrote to memory of 1072	204	9b5350dd_by_Libranalysis.exe	9b5350dd_by_Libranalysis.exe
PID 204 wrote to memory of 1072	204	9b5350dd_by_Libranalysis.exe	9b5350dd_by_Libranalysis.exe
PID 204 wrote to memory of 1072	204	9b5350dd_by_Libranalysis.exe	9b5350dd_by_Libranalysis.exe
PID 204 wrote to memory of 1072	204	9b5350dd_by_Libranalysis.exe	9b5350dd_by_Libranalysis.exe
PID 1072 wrote to memory of 2676	1072	9b5350dd_by_Libranalysis.exe	9b5350dd_by_libranalysis.exe
PID 1072 wrote to memory of 2676	1072	9b5350dd_by_Libranalysis.exe	9b5350dd_by_libranalysis.exe
PID 1072 wrote to memory of 2676	1072	9b5350dd_by_Libranalysis.exe	9b5350dd_by_libranalysis.exe
PID 1072 wrote to memory of 3076	1072	9b5350dd_by_Libranalysis.exe	9b5350dd_by_libranalysis.exe
PID 1072 wrote to memory of 3076	1072	9b5350dd_by_Libranalysis.exe	9b5350dd_by_libranalysis.exe
PID 1072 wrote to memory of 3076	1072	9b5350dd_by_Libranalysis.exe	9b5350dd_by_libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_Libranalysis.exe"
1⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_Libranalysis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_Libranalysis.exe"
2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_libranalysis.exe -work worker0 job0-1072
3⤵
- Modifies extensions of user files
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\9b5350dd_by_libranalysis.exe -work worker1 job1-1072
3⤵
- Enumerates connected drives
PID:3076