darkside | b565e9266717161163e884793dc1004f9f2ca94ab0533df9c167d5d188cebf2f

General

Target

DArkS.bin.exe
Size

61KB
MD5

c8873191fe599cde49491443b47eb036
SHA1

b11def82d23f4c4883cf13b41de4cc2c8c5cc92f
SHA256

b565e9266717161163e884793dc1004f9f2ca94ab0533df9c167d5d188cebf2f
SHA512

2652dc435b148ac4af0dbb9edd8ceab711a540f4e6459fa78b95a5627a8e73e7bd27b601148262db0596699682a8a2e193dc3b2ba0bb9312cdb79c0563aff974

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\\README.70d4d153.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/MYM57PZKKZKVJWS2PAFUZ4ZUZRK3JW4O1VQBMFON3RZIMKZ9CGVFLH2HV089EGT5 When you open our website, put the following data in the input form: Key: NAQs1URQJY1VVwfwuJsJW1cinECoSP8W4srcHTFIO0vJ1hJqEavnyppmYVng86GSskYd56DZQnV2Ac3Fmsv7Hhj4j7lpNZrJIdFqTMvEtchexyln4phVDQg5Tt9feJwdsGq5njUDCCJtmJUmWrIqR2bewAir5GxMOfJ3P4srcUgHjH5BRdLuNNp0LDtbQEEjHdyRr9yoljknyF3OHqQUUh6mOb7jpPXpBCOidIbHIrrnYeHM8Sq4hVodJWBzROt0wgSHvLkeabGAsxyJQz1ZYrvlmGK8KJ6w6BGbh1QzmDpiEycPL5vQeC4F8zfkLbeg5dSY4wktSSES9SdvcfzIwwt4ogRQhebKyvXyRjhOSmQfVUznGMeyNh2axiVG4wUhsE6V2rD85n7SJSsIpdXQqgD9q7bRmjjzXLQaT1myrcqrLqKAfZaSnm7HnAcPKlYTx3eBD4rTtM2ExUf9Ag91R61hOAA134Alx39Kcbns0nHXdmkRcMrn6Z3ivZ4YIE1lhTPE9uItg3wp6vRiVPVF7V96viOqGnOsNeCkRJ3XQEE8vKZrtiogDSB !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/MYM57PZKKZKVJWS2PAFUZ4ZUZRK3JW4O1VQBMFON3RZIMKZ9CGVFLH2HV089EGT5

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

darks.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ReadAdd.raw.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SetUnlock.tiff.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\AddUnlock.tif.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MountStart.png.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\PushExit.tiff.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SetStep.tiff.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StepUnpublish.raw.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectApprove.tif.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DenyUnlock.tiff.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\MoveExport.tif.70d4d153	darks.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SendConvertFrom.png.70d4d153	darks.bin.exe

Drops startup file 2 IoCs

Processes:

darks.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.70d4d153.TXT	darks.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.70d4d153.TXT	darks.bin.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

DArkS.bin.exedarks.bin.exe

description ioc process

File opened (read-only) \??\Z: DArkS.bin.exe
File opened (read-only) \??\Z: darks.bin.exe

description	ioc	process
File opened (read-only)	\??\Z:	DArkS.bin.exe
File opened (read-only)	\??\Z:	darks.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

DArkS.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\70d4d153.BMP"	DArkS.bin.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

DArkS.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop	DArkS.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10"	DArkS.bin.exe

Modifies data under HKEY_USERS 62 IoCs

Processes:

darks.bin.exeDArkS.bin.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 72ae8f39aed12f711a400b19a73960c52270fb3def4a5e081dd456e7eaf0dedc	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 056fdb844d23cd0a1fd6c34f9a7da8a9068167dddf8dffcb0ef28aeb623a50d2	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 91bfaf8fc75c95e20f0170a62581230aed1065e4e026dfe7e8c064092212d151	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 08f32c5bc04dce6ec2889bfd826eb94d9a6ffe9105a5faa5cc520313da20288c	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 73540b90adb1f60a7f7684dd37b8353d1b3adbb65bf3a9a95c6640dd1a21210d	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 04b349cd61c2e6db6dbdef19cd2373a121f41b2bdf9c4b6edb656c9ba0958051	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 088274ac31a59d947855a0d37cbf700c6c69d4349058003286a28a952b192534	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ad348e3348c1afa6f73258af353202fba3790a8123919a385685dbfae60f3b90	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 013860bff3ca45cb55ed5db3d1a9f735184519aa3cdf364ca000b3cb28711de8	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 024a6f0a3c71b70f9e0290aa8104e03aba1d8061e53d38ee56ce0d41d04e1ef1	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3eafd236bf82f4abf354b046fcf255bbfb1ea2c085a9c9684481d320f0559f89	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	darks.bin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\70d4d153.BMP"	DArkS.bin.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f8751f1178c034dafb33350fc1f7c0c868f4e01095250ceb9f2c662cfcc49d11	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 47f49960c9ced3689828f00c7aecfd27c3a378d2d0bbb90f2a15ef452419f2d6	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 454671f83bb6887fddbd9bcb341fb159d614db21a1ee5c6ec41a9062ad82eb07	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c00540069006c00650044006100740061004c0061007900650072005c00440061007400610062006100730065005c004500440042002e006c006f00670000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 667d663ae82c3a97a8da68f23aacaafe35793ab33881c09aaa2d0647bb9f4efb	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cd5336e88fea984e703cd97daca4051a69f1f6e8c4f5acd036bea8dc3ecf5113	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c00540065006d0070006f007200610072007900200049006e007400650072006e00650074002000460069006c00650073005c0063006f0075006e00740065007200730032002e0064006100740000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 464c77407c11f5da79f9ea5fba4a3b6bda12b0ecd3808738c58af0d629a82198	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9b65db558de9f7375ca85b5cae8ac4e7b3c6354cb11a01268cdb2477442c95c0	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 67323090ba74e0359ef2e54908b2d9bd9050e272087f2cf7e70cfc6643acb7ba	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 271d3a136b9d09fbbec7f80b5713de9b6fa6cf3d51a87c244e0ea27902d1231b	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = aecb1766ae72327cea9e8b9f1cf08d2276fbecc213cfe4652adbf5117c6206ac	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 70324fc77d72f46c0c4d483aef50562f5756c1eb842db7cb29c3a577c5ff9c50	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 75f199b9f335899361b2829aa4cb8fc566c6aa288760b63a7a364b173e0ddc58	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 63e2e59670899f4f301d4776ba1aed666876a6f8fce9bee6821085390855c645	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = efb889ebc97cf8e6c0543af1a8e6ef374d573a82ae39e132f7e5a5566a0ccbb3	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4f39cffb04018ac29b2a6398d8afe5e407cdbddcc1d2f1d539dd6a785add6ca8	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fb6717653238cd8c74544a54bd043406d5ad6594a11d4552e3b2d9cf5ea6c9ca	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 4c050000fc3f61e7e773d701	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f3ccd25ca99310d4d891b2afd84c5e20be0f48e50d7c2c65d333b09231c40aa1	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0388d7ed2535ca2abbc431bfdc12e5ffed98ad9515e0e5af09aa51a2f5d26daf	darks.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 037fc139a5eeaa9a19a81553cd67713f6369bb31e9d8b96d37f8893abddaca94	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bede80216b8bdc9836d7999a60dc3abbb536d8b37078b233bbd4f98d6575f8aa	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 921b328fefe38c5b63de7ec2a6fd6e947312b2cfec16a6f1094df99295ac08a9	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 4d3f007cb6b02841757b0ec19d0295546cc947ea56735f1bca7ec86cdb88d216	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ba8463c5829a13b76368a1bb1d0924d012f8994ab67ec420b4977b093072d525	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7122ad7280247e658d2038b5a6a1d43174cc7814c287685ed674a0792f3e1301	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 044fad7889588af3fa2d1a813c1670909126cfc3d124d77fc93ae568d822e70e	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 823b6a1e299727bb4e008552fa2bb26f2cf324aa47a140542b9717fcc25b1eab	darks.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b46ec7797507d67d5a17174fb0975e7887205e25ef53d4a895d6129ec4a4306e	darks.bin.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	darks.bin.exe

Modifies registry class 26 IoCs

Processes:

SearchUI.exeDArkS.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon	DArkS.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0"	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153\ = "70d4d153"	DArkS.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153	DArkS.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153	DArkS.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon\ = "C:\\ProgramData\\70d4d153.ico"	DArkS.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DArkS.bin.exedarks.bin.exe

pid	process
3304	DArkS.bin.exe
3304	DArkS.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe
1356	darks.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3108 vssvc.exe
Token: SeRestorePrivilege 3108 vssvc.exe
Token: SeAuditPrivilege 3108 vssvc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchUI.exeShellExperienceHost.exe

pid process

368 SearchUI.exe
4068 ShellExperienceHost.exe
4068 ShellExperienceHost.exe

description	pid	process
Token: SeBackupPrivilege	3108	vssvc.exe
Token: SeRestorePrivilege	3108	vssvc.exe
Token: SeAuditPrivilege	3108	vssvc.exe

pid	process
368	SearchUI.exe
4068	ShellExperienceHost.exe
4068	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

DArkS.bin.exeDArkS.bin.exe

description	pid	process	target process
PID 1672 wrote to memory of 3304	1672	DArkS.bin.exe	DArkS.bin.exe
PID 1672 wrote to memory of 3304	1672	DArkS.bin.exe	DArkS.bin.exe
PID 1672 wrote to memory of 3304	1672	DArkS.bin.exe	DArkS.bin.exe
PID 1672 wrote to memory of 3304	1672	DArkS.bin.exe	DArkS.bin.exe
PID 3304 wrote to memory of 1356	3304	DArkS.bin.exe	darks.bin.exe
PID 3304 wrote to memory of 1356	3304	DArkS.bin.exe	darks.bin.exe
PID 3304 wrote to memory of 1356	3304	DArkS.bin.exe	darks.bin.exe
PID 3304 wrote to memory of 2172	3304	DArkS.bin.exe	darks.bin.exe
PID 3304 wrote to memory of 2172	3304	DArkS.bin.exe	darks.bin.exe
PID 3304 wrote to memory of 2172	3304	DArkS.bin.exe	darks.bin.exe

C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
1⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
2⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\darks.bin.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker0 job0-3304
3⤵
- Modifies extensions of user files
- Drops startup file
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Users\Admin\AppData\Local\Temp\darks.bin.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker1 job1-3304
3⤵
- Enumerates connected drives
PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:3124

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOGS.70d4d153\LOG.70d4d153.PID-0.TXT
MD5
4cb1a04be4a8f158bd30c80da609d4b3

SHA1
23e93b8549fcd653585aedf30504b652fc827362

SHA256
9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0

SHA512
29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGS.70d4d153\LOG.70d4d153.PID-0.TXT
MD5
4cb1a04be4a8f158bd30c80da609d4b3

SHA1
23e93b8549fcd653585aedf30504b652fc827362

SHA256
9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0

SHA512
29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6

Download Submit
memory/1356-117-0x0000000000000000-mapping.dmp

Download
memory/2172-118-0x0000000000000000-mapping.dmp

Download
memory/3124-119-0x00000198726A0000-0x00000198726B0000-memory.dmp

Filesize
64KB

Download
memory/3124-120-0x0000019872A70000-0x0000019872A80000-memory.dmp

Filesize
64KB

Download
memory/3304-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads