Analysis

  • max time kernel
    75s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2023, 08:03

General

  • Target

    2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe

  • Size

    146KB

  • MD5

    ac4efeb9f09e844f22a37de5d1a9c505

  • SHA1

    8e099b2e1d405708c1c76b727aaba272496966c8

  • SHA256

    af4c28fb1c65ebe93181b67d279733e864cafab5919a7aa7eced93fc8113df16

  • SHA512

    c6262e7ac5fcaf82700f6b82c3aca0bad612a40905c572b861c6a5227d2ed6d52f7508a2c263eabf93ddd148e8f3872d39d36b8c01e13e2e76e85a5e6d89397a

  • SSDEEP

    3072:M6glyuxE4GsUPnliByocWepDY0k1p8M/DJ6iHrAa:M6gDBGpvEByocWeRY0k77JzH

Malware Config

Signatures

  • Renames multiple (295) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"
    1⤵
    • Modifies extensions of user files
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\ProgramData\2E52.tmp
      "C:\ProgramData\2E52.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2E52.tmp >> NUL
        3⤵
          PID:1516
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x150
      1⤵
        PID:1632

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\AAAAAAAAAAA

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\BBBBBBBBBBB

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\CCCCCCCCCCC

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\EEEEEEEEEEE

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\FFFFFFFFFFF

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\GGGGGGGGGGG

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\HHHHHHHHHHH

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\IIIIIIIIIII

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\JJJJJJJJJJJ

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\KKKKKKKKKKK

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\LLLLLLLLLLL

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\MMMMMMMMMMM

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\NNNNNNNNNNN

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\OOOOOOOOOOO

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\PPPPPPPPPPP

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\QQQQQQQQQQQ

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\RRRRRRRRRRR

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\SSSSSSSSSSS

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\TTTTTTTTTTT

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\UUUUUUUUUUU

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\VVVVVVVVVVV

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\WWWWWWWWWWW

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\XXXXXXXXXXX

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\YYYYYYYYYYY

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini

        Filesize

        129B

        MD5

        e0b80a4f058764a2fda87691d1827e46

        SHA1

        62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5

        SHA256

        7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434

        SHA512

        43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

      • C:\9y643jKEQ.README.txt

        Filesize

        599B

        MD5

        edcee010067993999219604e44bd2d11

        SHA1

        42e9bd97e2739a47d73a55a7782c488a2e8b363f

        SHA256

        68cb0a6dc8b83207229b79c58416965076b1abb3c9a69a58ece74a8df9fc0cee

        SHA512

        e40771b0c9f66167493bbb3b023be825a9166bc78c847f218b0fe6ab5451130fb682dc3931f3eea22a2ad1a460f7c60fcab3db471ab48d4643fd8256ff6e6e31

      • C:\ProgramData\2E52.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\ProgramData\2E52.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        fe5b7f500b9d82e3bd31ae0da51ec755

        SHA1

        2394880134c60959ce6e50ff3b3908f398e1c2c5

        SHA256

        de3418333d798b4d20cf5efe5596130e1dfd5989edeaae6b1fa7eb9be492d720

        SHA512

        54502da21339eb31b55018819fa6a909f559f6faa0024c5a59b8ccf25f89c1589ee6d62e871d6bbf5e844d83951cc2b44db72f47a75b1057789b8e55f7c88ca9

      • \ProgramData\2E52.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1104-866-0x0000000000275000-0x0000000000293000-memory.dmp

        Filesize

        120KB

      • memory/1252-100-0x0000000000370000-0x00000000003B0000-memory.dmp

        Filesize

        256KB