darkside | 156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673

General

Target

156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll
Size

54KB
MD5

f587adbd83ff3f4d2985453cd45c7ab1
SHA1

2715340f82426f840cf7e460f53a36fc3aad52aa
SHA256

156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673
SHA512

37acf3c7a0b52421b4b33b14e5707497cfc52e57322ad9ffac87d0551220afc202d4c0987460d295077b9ee681fac2021bbfdebdc52c829b5f998ce7ac2d1efe

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\\README.bc654380.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V When you open our website, put the following data in the input form: Key: lmrlfxpjZBun4Eqc4Xd4XLJxEOL5JTOTLtwCOqxqxtFfu14zvKMrLMUiGV36bhzV5nfRPSSvroQiL6t36hV87qDIDlub946I5ud5QQIZC3EEzHaIy04dBugzgWIBf009Hkb5C7IdIYdEb5wH80HMVhurYzet587o6GinzDBOip4Bz7JIznXkqxIEHUN77hsUM8pMyH8twWettemxqB3PIOMvr7Aog9AIl1QhCYXC1HX97G5tp7OTlUfQOwtZZt5gvtMkOJ9UwgXZrRSDRc8pcCgmFZhGsCalBmIC08HCA40P7r5pcEn2PdBA6tt5oHma19OMBra3NwlkZVUVfIql643VPuvDLNiDtdR1EZhP1vb2t2HsKlGOffG7ql9Y2JWcu2uwjqwVdSzQtlXWM6mEy3xdm3lcJnztQ5Nh7jJ7bYgAb1hODbN9UektcOzYC0e0ZqjPVLY3opxNvYgCk8Bz9clmNXqsvMjBQXJQVb8o0IPMcDjYyhJuG0EevGlAWVq8WGS7JraW22zvlz8SQ4HdgUEJR0VbrsitXqIbIF9S2XGZmtxEsRStAey !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/ZWQHXVE7MW9JXE5N1EGIP6IMEFAGC7LNN6WJCBVKJFKB5QXP6LUZV654ASG7977V

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Drops file in System32 directory 4 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bc654380\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bc654380	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bc654380\DefaultIcon\ = "C:\\ProgramData\\bc654380.ico"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bc654380	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bc654380\ = "bc654380"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3684 rundll32.exe
3684 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 380 vssvc.exe
Token: SeRestorePrivilege 380 vssvc.exe
Token: SeAuditPrivilege 380 vssvc.exe

pid	process
3684	rundll32.exe
3684	rundll32.exe

description	pid	process
Token: SeBackupPrivilege	380	vssvc.exe
Token: SeRestorePrivilege	380	vssvc.exe
Token: SeAuditPrivilege	380	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4092 wrote to memory of 3352	4092	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 3352	4092	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 3352	4092	rundll32.exe	rundll32.exe
PID 2648 wrote to memory of 2756	2648	rundll32.exe	rundll32.exe
PID 2648 wrote to memory of 2756	2648	rundll32.exe	rundll32.exe
PID 2648 wrote to memory of 2756	2648	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 3684	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 3684	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 3684	2756	rundll32.exe	rundll32.exe
PID 3684 wrote to memory of 2500	3684	rundll32.exe	rundll32.exe
PID 3684 wrote to memory of 2500	3684	rundll32.exe	rundll32.exe
PID 3684 wrote to memory of 2500	3684	rundll32.exe	rundll32.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3412

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#1
2⤵
PID:3352

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#1
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\156335b95ba216456f1ac0894b7b9d6ad95404ac7df447940f21646ca0090673.bin.dll,#3 worker0 job0-3684
4⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads