Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2023, 02:41

General

  • Target

    2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe

  • Size

    146KB

  • MD5

    33228a20a7e985f02e2ddd73cccde729

  • SHA1

    58ab960e629a609d135e1988c72f2991e5f76e30

  • SHA256

    0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194

  • SHA512

    075002dd1b0f8e536c1ff99d30368f5adfc90a2f3e7a74c9770119e7b54a5851236657b7edcb735d457e78a7e67b7c285b6ceaa6ca2907542ac208dfc8c9aabe

  • SSDEEP

    3072:36glyuxE4GsUPnliByocWepqFPUBwrqveV84:36gDBGpvEByocWe8MB4G

Malware Config

Signatures

  • Renames multiple (606) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\ProgramData\FE79.tmp
      "C:\ProgramData\FE79.tmp"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:300
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FE79.tmp >> NUL
        3⤵
          PID:1012
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2724

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\AAAAAAAAAAA

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\BBBBBBBBBBB

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\CCCCCCCCCCC

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\EEEEEEEEEEE

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\FFFFFFFFFFF

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\GGGGGGGGGGG

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\HHHHHHHHHHH

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\IIIIIIIIIII

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\JJJJJJJJJJJ

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\KKKKKKKKKKK

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\LLLLLLLLLLL

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\MMMMMMMMMMM

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\NNNNNNNNNNN

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\OOOOOOOOOOO

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\PPPPPPPPPPP

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\QQQQQQQQQQQ

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\RRRRRRRRRRR

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\SSSSSSSSSSS

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\TTTTTTTTTTT

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\UUUUUUUUUUU

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\VVVVVVVVVVV

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\WWWWWWWWWWW

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\XXXXXXXXXXX

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\YYYYYYYYYYY

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini

      Filesize

      129B

      MD5

      9e3824dab7051fceac6a678c1831d47e

      SHA1

      dd6bd885e9f26601b22065a07830f177d2be9a97

      SHA256

      481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862

      SHA512

      3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

    • C:\AFfGduKAp.README.txt

      Filesize

      388B

      MD5

      8ea6710e6f8f45b1d3133cc7b0aefe43

      SHA1

      08deb87471ad3058f62b09204a2c8b2bc9ac113c

      SHA256

      1becc65997805f547ce0d63624d630a9140f1e8f30ee1deb3aace98181e73fb4

      SHA512

      6254c935f2580ffa14d53ec17427dc8fcc8480c19b89ef31c4a8469d792335225160b44da6c50f39b1dfe2eac75d59235f2e1fdda60a37c96c77b51ee33b4767

    • C:\ProgramData\FE79.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\ProgramData\FE79.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      146KB

      MD5

      2512428c84d0c83894dc5c0a267440e4

      SHA1

      5a7cee3446b09c4f9945c5f07e58fd6ec22728ef

      SHA256

      2e01b1198d9839506cd81fde45f5f0348244773917abdd77b1baf9778a88c271

      SHA512

      5a356604bbd13742b8fc6de4a9c2ffa8543816c0233bc5891c342089a26c03150015335d6850d0848029f6bbceb8c3587fa08084c0a48dc2c355087c55e77351

    • memory/300-2886-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

    • memory/300-2884-0x0000000000680000-0x0000000000690000-memory.dmp

      Filesize

      64KB

    • memory/300-2885-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

    • memory/300-2883-0x0000000000680000-0x0000000000690000-memory.dmp

      Filesize

      64KB

    • memory/300-2882-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

    • memory/300-2880-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

    • memory/300-2881-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

    • memory/4956-134-0x0000000002D70000-0x0000000002D80000-memory.dmp

      Filesize

      64KB

    • memory/4956-2645-0x0000000002D70000-0x0000000002D80000-memory.dmp

      Filesize

      64KB

    • memory/4956-2636-0x0000000002D70000-0x0000000002D80000-memory.dmp

      Filesize

      64KB

    • memory/4956-2633-0x0000000002D70000-0x0000000002D80000-memory.dmp

      Filesize

      64KB

    • memory/4956-133-0x0000000002D70000-0x0000000002D80000-memory.dmp

      Filesize

      64KB