darkside | 5e210a42996ad14924d70184043cb304be7f555a20d8937ae4502e01d4cf33aa

General

Target

98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
Size

700KB
MD5

46a1325bb01e37e0ee2d2ba37db257f2
SHA1

fde5f666007cdb1fd1dddd2fefbed916992e9e65
SHA256

98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
SHA512

2244ad1c7cc1814d0ca2a646ad1d158fef6a269bfcaa327d46400c6ab7edb595b1c47393cfcbb9b15c6f748f50515a4da397733972198453822b03757861ff72

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\Recovery\6e3e77a2-1a56-11ec-8d0f-c222d480bba6\README.txt

Family

darkside

Ransom Note

WINNER WINNER CHICKEN DINNER What happend? ############################################## All your servers and computers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ############################################## We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one image file for free. The file size should be no more than 2 MB. Contact us by email: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Emails

[email protected]

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\DisconnectPop.tif.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\DismountSubmit.tiff.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\MountRegister.tif.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\EnableSuspend.png.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeRepair.tiff	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\InitializeRepair.tiff.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\MeasureSelect.raw.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\AssertInstall.tif.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\CompressRestart.tif.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\ExpandRegister.png.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\UnregisterMount.crw.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\DenyUnregister.raw.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSubmit.tiff	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
File created	C:\Users\Admin\Pictures\ReadMount.tif.decaf	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1000	1100	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe	31
PID 1100 wrote to memory of 1000	1100	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe	31
PID 1100 wrote to memory of 1000	1100	98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe	31

C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe
"C:\Users\Admin\AppData\Local\Temp\98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\system32\cipher.exe
  cipher.exe /w:C:\
  2⤵
  PID:1000

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads