Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 23:24

General

  • Target

    2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe

  • Size

    122KB

  • MD5

    608c27640c4d305f54a7f9ec2e0d20c9

  • SHA1

    d6bdb127f81f2c1b71f1a51661cf7aed77f1db23

  • SHA256

    a96b76f8290757ebdd6c5b85b555e69ea14d2cb6338e4c65e93a32a7d1218637

  • SHA512

    9e64214961b032cb37dca760dd92959011bb6c5c1797b830f4c71fc7940fbb5d357ab3989cb425a75de2a7b91be116956b9bea7b3279063b05717ed01d5d5585

  • SSDEEP

    768:miN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/AfydfIaJ/ZB49j9xOOLvSw9kvAx0:R4HHerjZX7pL2JKjSOVi

Malware Config

Extracted

Path

C:\README.827f117e.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

  • Renames multiple (181) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe"
    1⤵
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:720
      • C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe"
        2⤵
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe
          C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe -work worker0 job0-2256
          3⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:2648
        • C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe
          C:\Users\Admin\AppData\Local\Temp\2024-08-30_608c27640c4d305f54a7f9ec2e0d20c9_darkside.exe -work worker1 job1-2256
          3⤵
          • Enumerates connected drives
          PID:2620
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\README.827f117e.TXT

      Filesize

      3KB

      MD5

      164aa420be8e0c2bcdef574355edaa32

      SHA1

      4336eaafedfc18a27cdf42bffad63b5a54ea8231

      SHA256

      b326d11dd90c2e4efb0a384981f71c2bd1a6faa0553d6389acb08945b699f73d

      SHA512

      fd1437bc4f45e3f4b5c3d0e7fca9383f45edceb5c8cb603d0b8ee98350a5f2468c2aabdb66f16bdee0bac49afefa4300a093a54ee43b1ff28a541ae612e34d9d