63a4561804b90ef42862b49e86a23ff1490830f42c17189963a0dc4a0fadf1c5

General

Target

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Size

194KB
MD5

34ad9c2c499594153ddb8ad088cf515e
SHA1

458e5d8b8b707afb3fff1ad5a9f31aa08c34bf2b
SHA256

63a4561804b90ef42862b49e86a23ff1490830f42c17189963a0dc4a0fadf1c5
SHA512

7b97052bc11232035db0aa635405ee4a4abdb69d349d0aedea09395dd38857e6e5b5d47b9db654d4b538eaf49dd7fab9a65633e36381e389fc3b5a037008cf29
SSDEEP

3072:t6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:t6gDBGpvEByocWeQwLAPm

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

BA0C.tmp

pid process

1628 BA0C.tmp
Executes dropped EXE 1 IoCs

Processes:

BA0C.tmp

pid process

1628 BA0C.tmp
Loads dropped DLL 1 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

pid process

2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kZd6jLIwz.bmp"	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kZd6jLIwz.bmp"	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exeBA0C.tmp

pid	process
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
1628	BA0C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon\ = "C:\\ProgramData\\kZd6jLIwz.ico"	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz\ = "kZd6jLIwz"	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

pid	process
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

BA0C.tmp

pid	process
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp
1628	BA0C.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeDebugPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: 36	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeImpersonatePrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeIncBasePriorityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeIncreaseQuotaPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: 33	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeManageVolumePrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeProfSingleProcessPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeRestorePrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSystemProfilePrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeTakeOwnershipPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeShutdownPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeDebugPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeBackupPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Token: SeSecurityPrivilege	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exeBA0C.tmp

description	pid	process	target process
PID 2764 wrote to memory of 1628	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe	BA0C.tmp
PID 2764 wrote to memory of 1628	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe	BA0C.tmp
PID 2764 wrote to memory of 1628	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe	BA0C.tmp
PID 2764 wrote to memory of 1628	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe	BA0C.tmp
PID 2764 wrote to memory of 1628	2764	2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe	BA0C.tmp
PID 1628 wrote to memory of 2728	1628	BA0C.tmp	cmd.exe
PID 1628 wrote to memory of 2728	1628	BA0C.tmp	cmd.exe
PID 1628 wrote to memory of 2728	1628	BA0C.tmp	cmd.exe
PID 1628 wrote to memory of 2728	1628	BA0C.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\ProgramData\BA0C.tmp
"C:\ProgramData\BA0C.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BA0C.tmp >> NUL
3⤵
PID:2728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:880

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini
Filesize
129B

MD5
b234293e4885020733443345d746720d

SHA1
cffdff13ff349d511fd13eba583217bf63ab349c

SHA256
0a510f24d15cc9aed38bc3ce399343e3851a610475445ac3a582a3e7fd3e7e05

SHA512
1520642d14360291e65a1eca55164f2b4167e46770e5aa63cf9f26772cd2a59f7c30e932248ff60c19ac1fc7a062a371158877ac9b35666c08af621f72fc0784

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
194KB

MD5
17889109b6d11423786c2f7be1a03d35

SHA1
a1b018dc711fdcab0f5e77ef43da0940a168fabd

SHA256
ce3c8df49e5d746aa35099cf9a0b605a9c6f8926687f55b4bf533f4abcdf93f7

SHA512
0c8ff51f287defd0680d2b994b3022f151bd8717542303c3359815c5770e5e7d18184c5e8c90eb733d024629d0862396b066d97d69a1a32ea6744e6aca1e6f78

Download Submit
C:\kZd6jLIwz.README.txt
Filesize
449B

MD5
c2f46db865b0ba6ef8f9385cf458a56e

SHA1
0b2f94fcf38ef15f59bb86a3296b7da514b4ac4e

SHA256
c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe

SHA512
9927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\HHHHHHHHHHH
Filesize
129B

MD5
b9e8fca0ca2e792d6a7facc2ddbb1b17

SHA1
8c92f1213681427a46654c89b10da243b8d59e62

SHA256
078800231e50238d6a1be65f08fc59a46dff64327344e12c258bb4caaea6ead0

SHA512
db4c7e0c86a2a07968786cac01b9e2e79ea5d57329b577393c96edba9e7ce6f892d977a3efcb7ffe2d15915a7c2824024617bb2384d41172379d592b849de461

Download Submit
\ProgramData\BA0C.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1628-863-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1628-864-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/1628-866-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1628-868-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1628-895-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1628-896-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2764-0-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads