bac1110e9a947d74ee88ea32544e2e27c9abd26dfcbe5c6f5eeca2e8ea30510b

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Size

146KB
MD5

3225d6727350498c0864872ba41ead57
SHA1

95a4772ae9f52310aee81277410700373966db9f
SHA256

bac1110e9a947d74ee88ea32544e2e27c9abd26dfcbe5c6f5eeca2e8ea30510b
SHA512

41a7a9094c1a24740714c7c67efe43508c5f21cb6f4d48d501c7a874653b918787916bb5c4ed074b7c313f9c453aa05ab0e929225f17537974517beba9a3f787
SSDEEP

3072:aqJogYkcSNm9V7D7lxR1NlEZeHzyzosvxfxST:aq2kc4m9tDJQKzWvxJ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\6oook9hg8.README.txt

Ransom Note

———————————CAUTION, PLEASE———————————— ֎֎֎ All your files have been stolen and encrypted ֎֎֎ You have to pay ransom otherwise all the data will be leaked on the Internet as well as stay encrypted on your PC and the whole domain. ———> WHAT WE DO RECOMMEND: DO NOT RECOVER any FILES on your own, IT CAN LEAD to irreversible consequences! Your personal DECRYPTION ID: XXXXXXXXXXXXXXX ———> WHAT WE GUARANTEE YOU: 3 files free decryption as a tool validation. We provide you with a decryption tool. We delete all your data and send proofs. We save your reputation, NO data leaks. We share our vulnerability report with you. ———> WHAT THE REASON: NO other reason except your MONEY! Right now your have a chance to save your business. Feel free to contact us. https://getsession.org/ 058a0295752970d65fe9f131cb26314cf76bf3b5bfbd8ac1fb9b54d31424fff332

URLs

https://getsession.org/

Signatures

Renames multiple (278) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6oook9hg8\DefaultIcon\ = "C:\\ProgramData\\6oook9hg8.ico"	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.6oook9hg8	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.6oook9hg8\ = "6oook9hg8"	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6oook9hg8\DefaultIcon	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6oook9hg8	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

pid	Process
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeDebugPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: 36	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeImpersonatePrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeIncBasePriorityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeIncreaseQuotaPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: 33	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeManageVolumePrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeProfSingleProcessPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeRestorePrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSystemProfilePrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeTakeOwnershipPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeShutdownPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeDebugPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	2340	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini

Filesize
129B

MD5
bfac2b956965d0f8b7082e490cfc985b

SHA1
f6728248447298abbe67bfec076281c9c3798110

SHA256
18c9845584882c5ca0d9a55047d605244937927f62359a4fb69e674bcaff1365

SHA512
05104a651dad88c2e49b1483233632d3505f0af84a71224edb6035e1eec714573760ea72c6ca99c7ba365fa2408520788cef01cf3d7550eae5b046b6e1fbe553

Download Submit
C:\6oook9hg8.README.txt

Filesize
954B

MD5
a86c8b4bb1c807febae793e944229191

SHA1
b284eb3f35a47010c8bb752dd36bca7f2e4c8f47

SHA256
23710ed2b331975396c5c4cbc1e358427c54d9fc276df59bdefd6c1c56a4d079

SHA512
04350c4e9eea8e2d5382a2dca436781390248ae4f3eccdddc602e6550ebdfc71c93f5e018c8d98a4591f3ca6ecf275453a1d147cd8208084a9976812698c0c3c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\DDDDDDDDDDD

Filesize
129B

MD5
f616d9f15fff9c0a1bf13238d34985e5

SHA1
db3cc503c55b8fce8f7b1c7f57947a31522e831e

SHA256
797affb7b7687ac826af6d0f2f8a057850cfcb79718e70d8c7df4ce7860f69e9

SHA512
0bebf8ac3109b6e39c926f696ff9c410a5240e64bd120ba2fba81b1eb3c03924e68738796bf9f51acbd8b7435ea7ea8a540154ee23a541b6d01b840f4fad0b9a

Download Submit
memory/2340-0-0x0000000002350000-0x0000000002390000-memory.dmp

Filesize
256KB

Download