7b0f5d34e8021af4134dbc9b5a0119f8e2acf18ade91c5f2b2fd168daec0027b

General

Target

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Size

147KB
MD5

1b8977fa6d45aa48c790b038a8696b71
SHA1

6c29c41ca7d413846057b6f32059ca1c714782bb
SHA256

7b0f5d34e8021af4134dbc9b5a0119f8e2acf18ade91c5f2b2fd168daec0027b
SHA512

189080dbc029f333251135bb702b5ecad477f9f9811c2704810e063c64b109fa8d2f5771a41fd286435d9a8ce368c352675971cd2d4d6c1191d9c2980333cebd
SSDEEP

3072:1qJogYkcSNm9V7DtXJqJIw1gUQil+4O6JT:1q2kc4m9tDtXJqJIwll+

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\ashOWYJUH.README.txt

Ransom Note

>>>> You need to contact us soon! Our contact email: [email protected] >>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: D9AC5C30CE91307B21DA852CC5F0868E >>>> All files on your computer have been encrypted. >>>> If you want to recover encrypted files, then contact us soon! >>>> We can decrypt 1-3 files (doc, xls, pdf, txt, jpeg) for free. You can attach them to your email. Databases, archives, backups are decrypted only after payment! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need to contact us soon! Our contact email: [email protected] >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Emails

[email protected]

Signatures

Renames multiple (616) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\desktop.ini	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ashOWYJUH.bmp"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ashOWYJUH.bmp"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ashOWYJUH\DefaultIcon	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ashOWYJUH	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ashOWYJUH\DefaultIcon\ = "C:\\ProgramData\\ashOWYJUH.ico"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashOWYJUH	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ashOWYJUH\ = "ashOWYJUH"	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

pid	process
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeDebugPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: 36	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeImpersonatePrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeIncBasePriorityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeIncreaseQuotaPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: 33	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeManageVolumePrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeProfSingleProcessPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeRestorePrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSystemProfilePrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeTakeOwnershipPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeShutdownPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeDebugPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeBackupPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
Token: SeSecurityPrivilege	3924	2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_1b8977fa6d45aa48c790b038a8696b71_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3726321484-1950364574-433157660-1000\OOOOOOOOOOO

Filesize
129B

MD5
9c5b5b9ce23b75105e803bf3f00b81a3

SHA1
6c3d306e6247b8cb7b8a327ccf47f10c4c5a356c

SHA256
ca1122238461b94710d5eb521d8a877b1bdb9e3480905f28c762a9991c604519

SHA512
97c1e09fbbd3cd4c96de6013c7fe50101addbe42d32f918dd106697dca2c9b0def475ce1d29e850000de2b8fc39bb4540edb004756f6ee8167f7624f9012d81d

Download Submit
C:\ashOWYJUH.README.txt

Filesize
1KB

MD5
7ec62e633f6c19e4d4c99b63e42096dd

SHA1
306ffb0d2786dce3a4bb8188c0221aca517220a3

SHA256
76d4778bee2e787530e5ca94f9951fbae4ca63efc491112f6b7a41e5d360b948

SHA512
2225ba6455be470b3323a2bcb3e6a5bb9b21e18a977c9bb3b67fd65eb1d10c3c38a55b0e798bbabdd60502f28031cf3d3fb33eec3cce2d512c6b43860500456b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3726321484-1950364574-433157660-1000\DDDDDDDDDDD

Filesize
129B

MD5
fa16359855404a22473ac07eb9461730

SHA1
a0e1086400897ecbafa3e041f86c6c64450a7ebf

SHA256
bfdd6b056e2a61530a7246f228724954316ce7b7479d24400cf60f843305ccaf

SHA512
a964cdd7c24f8c5dc9fcba5beaccbadde5d34f1aea4f81115fa5c8dffa9b072c884f5e298f49ef24836bb0cb60467b17986a981cc1d7632655ae379488d231cb

Download Submit
memory/3924-1-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3924-2-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3924-0-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads