2925e11520e3d009f092fada3a10cf9ece1a22388a56d7a4c1571522d9b62af4

General

Target

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Size

194KB
MD5

e5688a4c13bed28637fd22bb920e1b86
SHA1

c4e491d4611e7c50904164c0f9f0ff232cde04da
SHA256

2925e11520e3d009f092fada3a10cf9ece1a22388a56d7a4c1571522d9b62af4
SHA512

ce21d161bb7aa31a6abbbaece080138c530bd0d5bcf28e8d70c4bc33374a396e8a97cc429e0c3791afc4c4368d6e8061bcd6ef38d77ae0cc9ad32dfbdf685168
SSDEEP

3072:56glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:56gDBGpvEByocWeubV4inP9B

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (266) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

1BDA.tmp

pid process

2460 1BDA.tmp
Executes dropped EXE 1 IoCs

Processes:

1BDA.tmp

pid process

2460 1BDA.tmp
Loads dropped DLL 1 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

pid process

2364 2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe1BDA.tmp

pid	process
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2460	1BDA.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

pid	process
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

1BDA.tmp

pid	process
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp
2460	1BDA.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeDebugPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: 36	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeImpersonatePrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeIncBasePriorityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeIncreaseQuotaPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: 33	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeManageVolumePrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeProfSingleProcessPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeRestorePrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSystemProfilePrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeTakeOwnershipPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeShutdownPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeDebugPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe1BDA.tmp

description	pid	process	target process
PID 2364 wrote to memory of 2460	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	1BDA.tmp
PID 2364 wrote to memory of 2460	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	1BDA.tmp
PID 2364 wrote to memory of 2460	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	1BDA.tmp
PID 2364 wrote to memory of 2460	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	1BDA.tmp
PID 2364 wrote to memory of 2460	2364	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	1BDA.tmp
PID 2460 wrote to memory of 548	2460	1BDA.tmp	cmd.exe
PID 2460 wrote to memory of 548	2460	1BDA.tmp	cmd.exe
PID 2460 wrote to memory of 548	2460	1BDA.tmp	cmd.exe
PID 2460 wrote to memory of 548	2460	1BDA.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\ProgramData\1BDA.tmp
"C:\ProgramData\1BDA.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1BDA.tmp >> NUL
3⤵
PID:548

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\DDDDDDDDDDD

Filesize
129B

MD5
240ddfd616b6c82dd36be948e11f7d8f

SHA1
9fe3596b8ec1cc626bf903a298feca0b156a7481

SHA256
3d6e15bd944d4915ca2c089f1ccf06a10d8a7be23651e924cd5d28706e43a7af

SHA512
687b46c9fcd470ee1351a747a4e9fcc47fa691f6203829cf30ea275080f69bc67c74a1189118fc149d9e0ed88f7774fdf8e72a43deef6ee669d543434c705e1f

Download Submit
C:\Qs2QSInbk.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
194KB

MD5
49ae95dacb8ea9ca5ea597819b85161d

SHA1
4168bb0a3850685fa5d07d2231c122570e3a583a

SHA256
0442a88fa9bcc9aacd4b3480f9f0839a4e5ff0c7e5556b37abff76b0a250691f

SHA512
f206713b983ac216bd8590f7ac39d21457eaa1575ff5e5af42993bf4b7689ec2e6acf5cc5fcde6a6e1583e46a7fbf9db00b1b8cc62f56417a3d679a89834656a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\EEEEEEEEEEE

Filesize
129B

MD5
8027ae9e5567aaf458f01da19754a2dd

SHA1
69ea4178ee28e793e2e7eb8c76b2143cfbc80820

SHA256
747f61a32dfc32270de61a1388e01c439273360c94d5ce6140e96b037a0e025e

SHA512
83e47080eef6a5e456e9f3f4245a0ad5960df0ce89e429bfb7fd0311db40c4e4fefc3711edee2ff0a9adcb8f858803608883307eefad611af9bdda2d27e60ffa

Download Submit
\ProgramData\1BDA.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2364-0-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2460-775-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/2460-774-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2460-777-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2460-776-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2460-807-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2460-806-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads