Analysis
-
max time kernel
208s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 14:51
Static task
static1
Behavioral task
behavioral1
Sample
Darkside.exe
Resource
win7-20230220-en
General
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Malware Config
Extracted
C:\Users\Admin\README.cb67907a.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 17 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Darkside.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\OutRegister.tif.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\ProtectPublish.tiff => C:\Users\Admin\Pictures\ProtectPublish.tiff.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\BackupRestore.tif => C:\Users\Admin\Pictures\BackupRestore.tif.cb67907a Darkside.exe File opened for modification C:\Users\Admin\Pictures\BackupRestore.tif.cb67907a Darkside.exe File opened for modification C:\Users\Admin\Pictures\ConnectShow.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\ProtectPublish.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\ProtectPublish.tiff.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\PublishExit.png => C:\Users\Admin\Pictures\PublishExit.png.cb67907a Darkside.exe File opened for modification C:\Users\Admin\Pictures\ConnectShow.tiff.cb67907a Darkside.exe File opened for modification C:\Users\Admin\Pictures\FindMount.tiff.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\OutRegister.tif => C:\Users\Admin\Pictures\OutRegister.tif.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\ConnectShow.tiff => C:\Users\Admin\Pictures\ConnectShow.tiff.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\FindMount.tiff => C:\Users\Admin\Pictures\FindMount.tiff.cb67907a Darkside.exe File renamed C:\Users\Admin\Pictures\GroupBlock.tif => C:\Users\Admin\Pictures\GroupBlock.tif.cb67907a Darkside.exe File opened for modification C:\Users\Admin\Pictures\FindMount.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\GroupBlock.tif.cb67907a Darkside.exe File opened for modification C:\Users\Admin\Pictures\PublishExit.png.cb67907a Darkside.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3316 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cb67907a.BMP" Darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cb67907a.BMP" Darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Darkside.exepid process 1052 Darkside.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\Desktop\WallpaperStyle = "10" Darkside.exe -
Modifies registry class 5 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cb67907a\ = "cb67907a" Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cb67907a\DefaultIcon Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cb67907a Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cb67907a\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\cb67907a.ico" Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cb67907a Darkside.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeDarkside.exepid process 1904 powershell.exe 1052 Darkside.exe 1052 Darkside.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Darkside.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1052 Darkside.exe Token: SeSecurityPrivilege 1052 Darkside.exe Token: SeTakeOwnershipPrivilege 1052 Darkside.exe Token: SeLoadDriverPrivilege 1052 Darkside.exe Token: SeSystemProfilePrivilege 1052 Darkside.exe Token: SeSystemtimePrivilege 1052 Darkside.exe Token: SeProfSingleProcessPrivilege 1052 Darkside.exe Token: SeIncBasePriorityPrivilege 1052 Darkside.exe Token: SeCreatePagefilePrivilege 1052 Darkside.exe Token: SeBackupPrivilege 1052 Darkside.exe Token: SeRestorePrivilege 1052 Darkside.exe Token: SeShutdownPrivilege 1052 Darkside.exe Token: SeDebugPrivilege 1052 Darkside.exe Token: SeSystemEnvironmentPrivilege 1052 Darkside.exe Token: SeRemoteShutdownPrivilege 1052 Darkside.exe Token: SeUndockPrivilege 1052 Darkside.exe Token: SeManageVolumePrivilege 1052 Darkside.exe Token: 33 1052 Darkside.exe Token: 34 1052 Darkside.exe Token: 35 1052 Darkside.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeBackupPrivilege 588 vssvc.exe Token: SeRestorePrivilege 588 vssvc.exe Token: SeAuditPrivilege 588 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Darkside.exedescription pid process target process PID 1052 wrote to memory of 1904 1052 Darkside.exe powershell.exe PID 1052 wrote to memory of 1904 1052 Darkside.exe powershell.exe PID 1052 wrote to memory of 1904 1052 Darkside.exe powershell.exe PID 1052 wrote to memory of 1904 1052 Darkside.exe powershell.exe PID 1052 wrote to memory of 3316 1052 Darkside.exe cmd.exe PID 1052 wrote to memory of 3316 1052 Darkside.exe cmd.exe PID 1052 wrote to memory of 3316 1052 Darkside.exe cmd.exe PID 1052 wrote to memory of 3316 1052 Darkside.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Darkside.exe"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5392591b8976c442cce54eab6a47773bb
SHA1c98ab3a498eda87c6f9cb4e4c5be499680312535
SHA256e5f9bae819b3ef8d7171ae04a1d00d2ec92a7465851681869dec9821a16ed4d0
SHA512dd1ad4cc804e49f59d05044e57266a94e31fb281c058726b875b88480edbee037d2615d2f416e4a51259281be870f4449e1292f3df23755a7813fae432946c79
-
C:\Users\Admin\README.cb67907a.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
memory/1904-59-0x000000001B2B0000-0x000000001B592000-memory.dmpFilesize
2.9MB
-
memory/1904-60-0x0000000002360000-0x0000000002368000-memory.dmpFilesize
32KB
-
memory/1904-61-0x0000000002920000-0x00000000029A0000-memory.dmpFilesize
512KB
-
memory/1904-62-0x0000000002920000-0x00000000029A0000-memory.dmpFilesize
512KB
-
memory/1904-63-0x0000000002920000-0x00000000029A0000-memory.dmpFilesize
512KB