Analysis
-
max time kernel
18s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-07-2021 08:52
Static task
static1
Behavioral task
behavioral1
Sample
DArkS.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DArkS.bin.exe
Resource
win10v20210408
General
-
Target
DArkS.bin.exe
-
Size
61KB
-
MD5
c8873191fe599cde49491443b47eb036
-
SHA1
b11def82d23f4c4883cf13b41de4cc2c8c5cc92f
-
SHA256
b565e9266717161163e884793dc1004f9f2ca94ab0533df9c167d5d188cebf2f
-
SHA512
2652dc435b148ac4af0dbb9edd8ceab711a540f4e6459fa78b95a5627a8e73e7bd27b601148262db0596699682a8a2e193dc3b2ba0bb9312cdb79c0563aff974
Malware Config
Extracted
C:\\README.53411c86.TXT
darkside
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/MYM57PZKKZKVJWS2PAFUZ4ZUZRK3JW4O1VQBMFON3RZIMKZ9CGVFLH2HV089EGT5
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
darks.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SubmitConnect.crw.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\EditConvertTo.tiff.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\SkipAdd.tiff.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\DenyCheckpoint.raw.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\EnableRemove.raw.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\ReadMount.png.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\ReadSuspend.png.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\ApproveUse.tiff.53411c86 darks.bin.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromFind.tif.53411c86 darks.bin.exe -
Drops startup file 2 IoCs
Processes:
darks.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT darks.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT darks.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
DArkS.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\53411c86.BMP" DArkS.bin.exe -
Modifies Control Panel 2 IoCs
Processes:
DArkS.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop DArkS.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" DArkS.bin.exe -
Modifies data under HKEY_USERS 33 IoCs
Processes:
darks.bin.exeDArkS.bin.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 976b0b7040d2f5ca678c5479923a6eba6e605767b5a6e6a799b96d0cbbdbd0b8 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d5f61c5a23b0aeccf08cf259b165991f583f0cc8ee472cef63e86a82a528d6dd darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4945d6dad4a6ae8d46e64e73cef06fe701d4bf990a1fd6c36b10779e77b12737 darks.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 1346fb5ad34238b61ab7c71ae02fada059c93fdb17713971c4591fd820087b1e darks.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 668590a730f6e8c08713fc812cde8091d111c257e987016c4b29e90d6ed80fff darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8c8f10682bfc33ed560f5135591149b31d9bb33ed3dbda712571723ae656d7ac darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 45bfaf170e6493e1cf7fe3981095eda4511ee5a855297d5efb67d9ed6d5e69b1 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cb2a54e8fd597e344c0cd4cfa944dfc210b79bfe8ff0abc01b3ccbea2ac4ef1f darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0196c9c649851b59fe253b3c3aaaf004c2f5ad371bdb9387d5ca5ce09a866c8f darks.bin.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c6bd3bc12459ab0d606b7638fd96f3d01656b753bafee2ab3029c1e3108954d9 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c8aaf00c4e52ae27c918a94a3e7e6476da4bb338a67a2d82e88547b6df16af32 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8effff708f4a5d0c5b0e5d06e3f7f13c86d849625dc98eb32a2c7e6351b2adce darks.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software darks.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fa04e67155b5679cfeeeebbf5f31e316d0f181d3609479fad9386bfcb6cd4565 darks.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7ac6099963ff0f3d36cc740ca24b2fb875bdad0661d2f717f8a685eb5a428c62 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1be518cf20e13fc35f3f4b6f440a84017a78f5cf104d77aeda8b929b95e3362c darks.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 darks.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\53411c86.BMP" DArkS.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = c4030000d07adfdee773d701 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 darks.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3360584dbdc348b69fd4d5e19be3cd1c99e810f653cfb0161236e44266733d60 darks.bin.exe -
Modifies registry class 5 IoCs
Processes:
DArkS.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86 DArkS.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86\ = "53411c86" DArkS.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon DArkS.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86 DArkS.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon\ = "C:\\ProgramData\\53411c86.ico" DArkS.bin.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
DArkS.bin.exedarks.bin.exepid process 1936 DArkS.bin.exe 1936 DArkS.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe 964 darks.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1300 vssvc.exe Token: SeRestorePrivilege 1300 vssvc.exe Token: SeAuditPrivilege 1300 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DArkS.bin.exeDArkS.bin.exedescription pid process target process PID 2044 wrote to memory of 1936 2044 DArkS.bin.exe DArkS.bin.exe PID 2044 wrote to memory of 1936 2044 DArkS.bin.exe DArkS.bin.exe PID 2044 wrote to memory of 1936 2044 DArkS.bin.exe DArkS.bin.exe PID 2044 wrote to memory of 1936 2044 DArkS.bin.exe DArkS.bin.exe PID 2044 wrote to memory of 1936 2044 DArkS.bin.exe DArkS.bin.exe PID 1936 wrote to memory of 964 1936 DArkS.bin.exe darks.bin.exe PID 1936 wrote to memory of 964 1936 DArkS.bin.exe darks.bin.exe PID 1936 wrote to memory of 964 1936 DArkS.bin.exe darks.bin.exe PID 1936 wrote to memory of 964 1936 DArkS.bin.exe darks.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\darks.bin.exeC:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker0 job0-19363⤵
- Modifies extensions of user files
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LOGS.53411c86\LOG.53411c86.PID-0.TXTMD5
4cb1a04be4a8f158bd30c80da609d4b3
SHA123e93b8549fcd653585aedf30504b652fc827362
SHA2569bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0
SHA51229b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6
-
C:\Users\Admin\AppData\Local\Temp\LOGS.53411c86\LOG.53411c86.PID-0.TXTMD5
4cb1a04be4a8f158bd30c80da609d4b3
SHA123e93b8549fcd653585aedf30504b652fc827362
SHA2569bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0
SHA51229b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6
-
memory/964-66-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1936-64-0x0000000000000000-mapping.dmp