87fbe43f63e03abd456b9de05bfebde931e409f5b250666c488b1c5761f8ce9e

Analysis

max time kernel
122s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Size

147KB
MD5

1fe11d4e1effc551b704ebc4355451f4
SHA1

e26d4acded30b4db0edda83549473ca269bec216
SHA256

87fbe43f63e03abd456b9de05bfebde931e409f5b250666c488b1c5761f8ce9e
SHA512

e8f5ff2f5c2e0c278976d7626d8965b1e298649718eb205c8f168a5afda6467e799d0857795c1e5a2434ef86028f0a654d21852a8574e72d1383f8e603f5d378
SSDEEP

1536:0zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD5quSvVHijaVuOoDrkmf3ReNGIT:bqJogYkcSNm9V7D51KHZuOoDrkKecIT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\QWDeSZKEd.README.txt

Ransom Note

~~~ LockByte Group ransomware since 2023~~~ >>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: 1F54B569CD8F60932FE97D9AE7A72894 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these email or tox chat with your personal DECRYPTION ID Write to me and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. EMAIL: [email protected] Telegram: @asg_hje_313 Tox Chat: 04C43C5752CE44971B150FE3EF62B11CE187B37692BD8A0B3681F8B779A7AF24BF05051F8CAA TIME: after 3 days we will publish your data on the forum if you do not pay !!!!! Decription Price: 8 BTC Bitcoin Wallet: bc1q8wqj7ntrlawwt09c2tucmzeq5mscxepwqwj63x

Emails

[email protected]

Signatures

Renames multiple (318) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.QWDeSZKEd	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.QWDeSZKEd\ = "QWDeSZKEd"	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QWDeSZKEd\DefaultIcon	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QWDeSZKEd	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QWDeSZKEd\DefaultIcon\ = "C:\\ProgramData\\QWDeSZKEd.ico"	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeDebugPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: 36	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeImpersonatePrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeIncBasePriorityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeIncreaseQuotaPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: 33	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeManageVolumePrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeProfSingleProcessPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeRestorePrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSystemProfilePrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeTakeOwnershipPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeShutdownPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeDebugPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeBackupPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
Token: SeSecurityPrivilege	2312	2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_1fe11d4e1effc551b704ebc4355451f4_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini

Filesize
129B

MD5
68678f55a032d3d7264ce7877af5350a

SHA1
52247e54c409653ec7052eba540910939b8db5e6

SHA256
2fd3a9b12b17b450195997f846a220a83726238a22b78a3e64823873b1d32061

SHA512
e3c08fd5f75590fbf979e70f4b15e5da6d37ced709ba47d88e670ac259f2b86bdc281eff8743fa8d9396473de67c6db51d85ed05d639e9859acf8fc235d75e79

Download Submit
C:\QWDeSZKEd.README.txt

Filesize
1KB

MD5
d245f90038bf9f9a12e2d8375c7fef6b

SHA1
9b4eb40543667cb572eab3416015ea694d7c9e23

SHA256
46611ae11e48f37656d3b971c3c965cff3ab46f4cc97b9ab4fd9076243ffbc7d

SHA512
3b582e7a4357ea63bf6e860d87996647c085568928cae808a5dc94be20f59395dcd9aa1761b9c284481ada07fd6107603211ecdcc3d1806a137990f54bb400cf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2444714103-3190537498-3629098939-1000\DDDDDDDDDDD

Filesize
129B

MD5
edeb5276b47dae3d2b3d083547c02455

SHA1
d86b8aeb57c87a5fc90734dd09d7feea8961167a

SHA256
26849ff5290dacad911be3c139fcd2b19f4aa81abd72af53aae2d2e3c479c12b

SHA512
a25616fc344aad97373b060928a0c421be748baab2a2493673662aeef0fa1b7322d00573094c937a3d6472477be9fe1f43c23a88ab73aec180edca7dc2107fb0

Download Submit
memory/2312-0-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download