7b0f5d34e8021af4134dbc9b5a0119f8e2acf18ade91c5f2b2fd168daec0027b

General

Target

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Size

147KB
MD5

1b8977fa6d45aa48c790b038a8696b71
SHA1

6c29c41ca7d413846057b6f32059ca1c714782bb
SHA256

7b0f5d34e8021af4134dbc9b5a0119f8e2acf18ade91c5f2b2fd168daec0027b
SHA512

189080dbc029f333251135bb702b5ecad477f9f9811c2704810e063c64b109fa8d2f5771a41fd286435d9a8ce368c352675971cd2d4d6c1191d9c2980333cebd
SSDEEP

3072:1qJogYkcSNm9V7DtXJqJIw1gUQil+4O6JT:1q2kc4m9tDtXJqJIwll+

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\ashOWYJUH.README.txt

Ransom Note

>>>> You need to contact us soon! Our contact email: [email protected] >>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: D9AC5C30CE91307BDD84EA22E13CC74A >>>> All files on your computer have been encrypted. >>>> If you want to recover encrypted files, then contact us soon! >>>> We can decrypt 1-3 files (doc, xls, pdf, txt, jpeg) for free. You can attach them to your email. Databases, archives, backups are decrypted only after payment! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need to contact us soon! Our contact email: [email protected] >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Emails

[email protected]

Signatures

Renames multiple (300) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ashOWYJUH.bmp"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ashOWYJUH.bmp"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ashOWYJUH\DefaultIcon	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ashOWYJUH	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ashOWYJUH\DefaultIcon\ = "C:\\ProgramData\\ashOWYJUH.ico"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashOWYJUH	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashOWYJUH\ = "ashOWYJUH"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

pid	process
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeDebugPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: 36	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeImpersonatePrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeIncBasePriorityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeIncreaseQuotaPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: 33	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeManageVolumePrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeProfSingleProcessPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeRestorePrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSystemProfilePrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeTakeOwnershipPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeShutdownPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeDebugPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	2936	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\AAAAAAAAAAA

Filesize
129B

MD5
24ac2f0f0145051a8c654f890adecdfe

SHA1
7e24e65960eb69c43430e4c987eced82abaede4a

SHA256
b274136b367de766bf75c7893f63cc31b805068202c9712a5ea32c830e61d84b

SHA512
edff149ce4320d9c07907cab290864b00892e28e599f5aba4d1b66505189f858f0b822346b5d559b70f8ca2593c1ccd4b14a68ab5ba1584e04cdf238337a7b31

Download Submit
C:\ashOWYJUH.README.txt

Filesize
1KB

MD5
863c09d112f82969d04d5b910b6dcae6

SHA1
59863bce2d9aadad37b762f37c2ee1766fa46b79

SHA256
91dc45d63564c46b596be132409db472960ec0774d03c6816ef3498e88d8f2c3

SHA512
cdc645615177b1a8487a78efac5ea9d6f8f1cbe5bfe9f6bd46bfb1b594a9a87318b7bbc367f397ccbdc325c24e9bfec0695da54f3bf73b1678b0a140f3da9c71

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\DDDDDDDDDDD

Filesize
129B

MD5
dda1a9d5d384066345bf6c4d7f569eb3

SHA1
91a39ccca9684576320c781979ecf724aaedd169

SHA256
676f5bb113d47a2a02b08ae9c1b8112ac676d2cf178c8af1e724d3f5f92da760

SHA512
9ebb73eee0871cdc5fd46274a01db33a626b58b2612916f1d08d08123dfc57ca474801fef03b930781eac309b0fa953178f90e3217385e7976a58af2f3b72d9d

Download Submit
memory/2936-0-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads