darkside | b565e9266717161163e884793dc1004f9f2ca94ab0533df9c167d5d188cebf2f

General

Target

DArkS.bin.exe
Size

61KB
MD5

c8873191fe599cde49491443b47eb036
SHA1

b11def82d23f4c4883cf13b41de4cc2c8c5cc92f
SHA256

b565e9266717161163e884793dc1004f9f2ca94ab0533df9c167d5d188cebf2f
SHA512

2652dc435b148ac4af0dbb9edd8ceab711a540f4e6459fa78b95a5627a8e73e7bd27b601148262db0596699682a8a2e193dc3b2ba0bb9312cdb79c0563aff974

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\\README.53411c86.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/MYM57PZKKZKVJWS2PAFUZ4ZUZRK3JW4O1VQBMFON3RZIMKZ9CGVFLH2HV089EGT5 When you open our website, put the following data in the input form: Key: NAQs1URQJY1VVwfwuJsJW1cinECoSP8W4srcHTFIO0vJ1hJqEavnyppmYVng86GSskYd56DZQnV2Ac3Fmsv7Hhj4j7lpNZrJIdFqTMvEtchexyln4phVDQg5Tt9feJwdsGq5njUDCCJtmJUmWrIqR2bewAir5GxMOfJ3P4srcUgHjH5BRdLuNNp0LDtbQEEjHdyRr9yoljknyF3OHqQUUh6mOb7jpPXpBCOidIbHIrrnYeHM8Sq4hVodJWBzROt0wgSHvLkeabGAsxyJQz1ZYrvlmGK8KJ6w6BGbh1QzmDpiEycPL5vQeC4F8zfkLbeg5dSY4wktSSES9SdvcfzIwwt4ogRQhebKyvXyRjhOSmQfVUznGMeyNh2axiVG4wUhsE6V2rD85n7SJSsIpdXQqgD9q7bRmjjzXLQaT1myrcqrLqKAfZaSnm7HnAcPKlYTx3eBD4rTtM2ExUf9Ag91R61hOAA134Alx39Kcbns0nHXdmkRcMrn6Z3ivZ4YIE1lhTPE9uItg3wp6vRiVPVF7V96viOqGnOsNeCkRJ3XQEE8vKZrtiogDSB !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/MYM57PZKKZKVJWS2PAFUZ4ZUZRK3JW4O1VQBMFON3RZIMKZ9CGVFLH2HV089EGT5

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

darks.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SubmitConnect.crw.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\EditConvertTo.tiff.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SkipAdd.tiff.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DenyCheckpoint.raw.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\EnableRemove.raw.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadMount.png.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ReadSuspend.png.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveUse.tiff.53411c86	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromFind.tif.53411c86	darks.bin.exe

Drops startup file 2 IoCs

Processes:

darks.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT	darks.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT	darks.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

DArkS.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\53411c86.BMP"	DArkS.bin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

DArkS.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop	DArkS.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10"	DArkS.bin.exe

Modifies data under HKEY_USERS 33 IoCs

Processes:

darks.bin.exeDArkS.bin.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 976b0b7040d2f5ca678c5479923a6eba6e605767b5a6e6a799b96d0cbbdbd0b8	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d5f61c5a23b0aeccf08cf259b165991f583f0cc8ee472cef63e86a82a528d6dd	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4945d6dad4a6ae8d46e64e73cef06fe701d4bf990a1fd6c36b10779e77b12737	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 1346fb5ad34238b61ab7c71ae02fada059c93fdb17713971c4591fd820087b1e	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 668590a730f6e8c08713fc812cde8091d111c257e987016c4b29e90d6ed80fff	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8c8f10682bfc33ed560f5135591149b31d9bb33ed3dbda712571723ae656d7ac	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 45bfaf170e6493e1cf7fe3981095eda4511ee5a855297d5efb67d9ed6d5e69b1	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cb2a54e8fd597e344c0cd4cfa944dfc210b79bfe8ff0abc01b3ccbea2ac4ef1f	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0196c9c649851b59fe253b3c3aaaf004c2f5ad371bdb9387d5ca5ce09a866c8f	darks.bin.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c6bd3bc12459ab0d606b7638fd96f3d01656b753bafee2ab3029c1e3108954d9	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c8aaf00c4e52ae27c918a94a3e7e6476da4bb338a67a2d82e88547b6df16af32	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8effff708f4a5d0c5b0e5d06e3f7f13c86d849625dc98eb32a2c7e6351b2adce	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fa04e67155b5679cfeeeebbf5f31e316d0f181d3609479fad9386bfcb6cd4565	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7ac6099963ff0f3d36cc740ca24b2fb875bdad0661d2f717f8a685eb5a428c62	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1be518cf20e13fc35f3f4b6f440a84017a78f5cf104d77aeda8b929b95e3362c	darks.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\53411c86.BMP"	DArkS.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = c4030000d07adfdee773d701	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3360584dbdc348b69fd4d5e19be3cd1c99e810f653cfb0161236e44266733d60	darks.bin.exe

Modifies registry class 5 IoCs

Processes:

DArkS.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86	DArkS.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86\ = "53411c86"	DArkS.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon	DArkS.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\53411c86	DArkS.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon\ = "C:\\ProgramData\\53411c86.ico"	DArkS.bin.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

DArkS.bin.exedarks.bin.exe

pid	process
1936	DArkS.bin.exe
1936	DArkS.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe
964	darks.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1300 vssvc.exe
Token: SeRestorePrivilege 1300 vssvc.exe
Token: SeAuditPrivilege 1300 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1300	vssvc.exe
Token: SeRestorePrivilege	1300	vssvc.exe
Token: SeAuditPrivilege	1300	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DArkS.bin.exeDArkS.bin.exe

description	pid	process	target process
PID 2044 wrote to memory of 1936	2044	DArkS.bin.exe	DArkS.bin.exe
PID 2044 wrote to memory of 1936	2044	DArkS.bin.exe	DArkS.bin.exe
PID 2044 wrote to memory of 1936	2044	DArkS.bin.exe	DArkS.bin.exe
PID 2044 wrote to memory of 1936	2044	DArkS.bin.exe	DArkS.bin.exe
PID 2044 wrote to memory of 1936	2044	DArkS.bin.exe	DArkS.bin.exe
PID 1936 wrote to memory of 964	1936	DArkS.bin.exe	darks.bin.exe
PID 1936 wrote to memory of 964	1936	DArkS.bin.exe	darks.bin.exe
PID 1936 wrote to memory of 964	1936	DArkS.bin.exe	darks.bin.exe
PID 1936 wrote to memory of 964	1936	DArkS.bin.exe	darks.bin.exe

C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
1⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\darks.bin.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker0 job0-1936
3⤵
- Modifies extensions of user files
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOGS.53411c86\LOG.53411c86.PID-0.TXT
MD5
4cb1a04be4a8f158bd30c80da609d4b3

SHA1
23e93b8549fcd653585aedf30504b652fc827362

SHA256
9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0

SHA512
29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGS.53411c86\LOG.53411c86.PID-0.TXT
MD5
4cb1a04be4a8f158bd30c80da609d4b3

SHA1
23e93b8549fcd653585aedf30504b652fc827362

SHA256
9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0

SHA512
29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6

Download Submit
memory/964-66-0x0000000000000000-mapping.dmp

Download
memory/1608-60-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1936-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads