41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898

Resubmissions

29/04/2024, 16:10

240429-tmdysaeg49 10

26/04/2024, 11:49

240426-ny1zssfh37 10

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Size

194KB
MD5

6fd558cf3add096970e15d1e62ca1957
SHA1

78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23
SHA256

41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898
SHA512

fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc
SSDEEP

3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (344) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2136	341B.tmp

Executes dropped EXE 1 IoCs

pid	Process
2136	341B.tmp

Loads dropped DLL 1 IoCs

pid	Process
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
2136	341B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon\ = "C:\\ProgramData\\AAtvmKv4L.ico"	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L\ = "AAtvmKv4L"	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3028	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp
2136	341B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeDebugPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: 36	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeImpersonatePrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeIncBasePriorityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeIncreaseQuotaPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: 33	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeManageVolumePrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeProfSingleProcessPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeRestorePrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSystemProfilePrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeTakeOwnershipPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeShutdownPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeDebugPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeBackupPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
Token: SeSecurityPrivilege	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2136	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe	30
PID 1280 wrote to memory of 2136	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe	30
PID 1280 wrote to memory of 2136	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe	30
PID 1280 wrote to memory of 2136	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe	30
PID 1280 wrote to memory of 2136	1280	2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe	30
PID 2136 wrote to memory of 1528	2136	341B.tmp	31
PID 2136 wrote to memory of 1528	2136	341B.tmp	31
PID 2136 wrote to memory of 1528	2136	341B.tmp	31
PID 2136 wrote to memory of 1528	2136	341B.tmp	31

C:\Users\Admin\AppData\Local\Temp\2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\ProgramData\341B.tmp
  "C:\ProgramData\341B.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\341B.tmp >> NUL
    3⤵
    PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AAtvmKv4L.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini

Filesize
129B

MD5
14f43eb690abfddd6ce5bcded0957a34

SHA1
5e1e2977bd2924db52e6831c617ec88de4babe02

SHA256
04a39fab0a2abdad182801cace0bfa531583d62a77fb6def9f71e68a4f58e263

SHA512
dc492fbd4d61d5ea49f179d123866d20aaa58d4900c52552d83791ffd02cfb8945c9bc70f2145789903d78fb4927204e321b504e5a0178d7dbad58c2653e61a0

Download Submit
C:\AAtvmKv4L.README.txt

Filesize
434B

MD5
b4709a56b9d7f431da172316cda720be

SHA1
d2132f7129a7003ec4c0392f0f08cd24ea353da6

SHA256
192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

SHA512
e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
194KB

MD5
cc9decf08d045237405acd8269d9d6d7

SHA1
2420d696c6e190da58100dd859ad42bc9c74a360

SHA256
b89d19ef93f36f9f86cd6185b44abe64d4368314dc9e026f53355a85a38eefe2

SHA512
9ba5a8ba8620524eb497cffe04dd82ae8490cf878c065bf126db8360a9417afe3a79952d538f618e67eafd2b1320d5984d3ecc96789a38d81c952887b0699ba1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\EEEEEEEEEEE

Filesize
129B

MD5
facbd7c9ceaed786d9b11dd30a949abb

SHA1
52fb563eff5b7364bd3d9bb6ad09b3f2dfb5dfe2

SHA256
05af90a5e17bd2df67342f6b5af56c26078d7d1ef6666d5702367cdaa21ec88d

SHA512
58ddb749521c28af79555ce729379400a4652dcfc727eb8ed2b9868755946738e77cf082a73eb7dfddf4bff49994876bbe63fc093477cdfdf63d11f78fdf5d62

Download Submit
\ProgramData\341B.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1280-0-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2136-866-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2136-865-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2136-864-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2136-862-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2136-863-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2136-895-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2136-896-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download