darkside | a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850

General

Target

a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
Size

831KB
MD5

f2cb24bfbd11a22c235f2f492b95c28d
SHA1

e7acd40a42130efc72b3ec0920381f86d9dfd8e2
SHA256

a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
SHA512

2d2c72d55046008f509a27716ddb7093858a73ec89686a29bbe497fe2c190311cdb54ec15a449d7483b30aa37a82e99c4f19f3e700973518c051b60a12ca64b4

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\Recovery\590dd5e2-2d4f-11ec-8202-e2f59334bf81\README.txt

Family

darkside

Ransom Note

WINNER WINNER CHICKEN DINNER What happend? ############################################## All your servers and computers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ############################################## We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one image file for free. The file size should be no more than 2 MB. Contact us by email: 22eb687475f2c5ca30b@protonmail.com !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

Emails

22eb687475f2c5ca30b@protonmail.com

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\DenyInvoke.tiff.decaf	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
File created	C:\Users\Admin\Pictures\ExitUse.tif.decaf	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
File created	C:\Users\Admin\Pictures\GetGroup.tif.decaf	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
File created	C:\Users\Admin\Pictures\SkipSelect.raw.decaf	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
File created	C:\Users\Admin\Pictures\SyncSet.raw.decaf	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
File opened for modification	C:\Users\Admin\Pictures\DenyInvoke.tiff	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe

description	pid	process	target process
PID 1100 wrote to memory of 1752	1100	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe	cipher.exe
PID 1100 wrote to memory of 1752	1100	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe	cipher.exe
PID 1100 wrote to memory of 1752	1100	a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe	cipher.exe

C:\Users\Admin\AppData\Local\Temp\a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe
"C:\Users\Admin\AppData\Local\Temp\a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1100

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads