darkside | 80c75581d6e09643a8fc7d7e0fa677e95faa64f20141cf493371ea604f6a07c9

General

Target

sample3.exe
Size

59KB
MD5

943a107b88f85fd88198a9df2e1dc0dd
SHA1

bfcf6050ddba6053b738e0c5e54b105880a3c45a
SHA256

80c75581d6e09643a8fc7d7e0fa677e95faa64f20141cf493371ea604f6a07c9
SHA512

bb179e1deb929502a63d37a19f34808329cb0a5f85618aafcc1eb22ecd91966f12c0033c36a84d966c84dfa86172b0af352e10a086f337f404af34256caacf77
SSDEEP

768:GjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1ylvD7Y23W58:Dx7Fu4/ihrhDTV1ylbcZ58

Score

10^/10

darkside credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.8f290682.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Darkside family
darkside
Renames multiple (151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sample3.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4768	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\8f290682.BMP"	sample3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\8f290682.BMP"	sample3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\WallpaperStyle = "10"	sample3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\8f290682\DefaultIcon	sample3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\8f290682	sample3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\8f290682\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\8f290682.ico"	sample3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.8f290682	sample3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.8f290682\ = "8f290682"	sample3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4768	powershell.exe
4768	powershell.exe
2096	sample3.exe
2096	sample3.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2096	sample3.exe
Token: SeSecurityPrivilege	2096	sample3.exe
Token: SeTakeOwnershipPrivilege	2096	sample3.exe
Token: SeLoadDriverPrivilege	2096	sample3.exe
Token: SeSystemProfilePrivilege	2096	sample3.exe
Token: SeSystemtimePrivilege	2096	sample3.exe
Token: SeProfSingleProcessPrivilege	2096	sample3.exe
Token: SeIncBasePriorityPrivilege	2096	sample3.exe
Token: SeCreatePagefilePrivilege	2096	sample3.exe
Token: SeBackupPrivilege	2096	sample3.exe
Token: SeRestorePrivilege	2096	sample3.exe
Token: SeShutdownPrivilege	2096	sample3.exe
Token: SeDebugPrivilege	2096	sample3.exe
Token: SeSystemEnvironmentPrivilege	2096	sample3.exe
Token: SeRemoteShutdownPrivilege	2096	sample3.exe
Token: SeUndockPrivilege	2096	sample3.exe
Token: SeManageVolumePrivilege	2096	sample3.exe
Token: 33	2096	sample3.exe
Token: 34	2096	sample3.exe
Token: 35	2096	sample3.exe
Token: 36	2096	sample3.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeBackupPrivilege	4552	vssvc.exe
Token: SeRestorePrivilege	4552	vssvc.exe
Token: SeAuditPrivilege	4552	vssvc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 4768	2096	sample3.exe	86
PID 2096 wrote to memory of 4768	2096	sample3.exe	86
PID 2096 wrote to memory of 632	2096	sample3.exe	101
PID 2096 wrote to memory of 632	2096	sample3.exe	101
PID 2096 wrote to memory of 632	2096	sample3.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample3.exe
"C:\Users\Admin\AppData\Local\Temp\sample3.exe"
1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\sample3.exe >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\README.8f290682.TXT

Filesize
1KB

MD5
65494ea6831e577d82fac2b91b9c3d43

SHA1
5c23717d22ee9b94306f2d5a2a53c60aca03eb8c

SHA256
5e98b41a51606e16dda30ad4a49457227f75d71ad2004e2942c6b8de6202c4f3

SHA512
28ba13f7793ac8271af03b26eaeba6cbe707bf1f07fb1792818a6ab270d1c20d0091ef4a10c092f60c373aefe09698d2b470ec6a7f8cfa47103fd8bbb8d7a7bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd526ac26f25975990d9a427bdec5555

SHA1
2204006bf18e60088039218dbecc003db10de5e2

SHA256
595066b1da0b5712ed7f41d9efe92701e7b3c85a7e0c3e840b735a76cc6dc7f3

SHA512
449bd4fffc29ace585c5ee7f2403fa829bbcd5b765a4078884fc26e99097e96d3e6710d8cd6f45f593b7a26352899118ac193001589ccfb4744f7e4016a423e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_folsowyo.boq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4768-1-0x00007FF9817A3000-0x00007FF9817A5000-memory.dmp

Filesize
8KB

Download
memory/4768-2-0x000001D9DA690000-0x000001D9DA6B2000-memory.dmp

Filesize
136KB

Download
memory/4768-12-0x00007FF9817A0000-0x00007FF982261000-memory.dmp

Filesize
10.8MB

Download
memory/4768-13-0x00007FF9817A0000-0x00007FF982261000-memory.dmp

Filesize
10.8MB

Download
memory/4768-14-0x00007FF9817A0000-0x00007FF982261000-memory.dmp

Filesize
10.8MB

Download
memory/4768-17-0x00007FF9817A0000-0x00007FF982261000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing