bac1110e9a947d74ee88ea32544e2e27c9abd26dfcbe5c6f5eeca2e8ea30510b

Analysis

max time kernel
100s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Size

146KB
MD5

3225d6727350498c0864872ba41ead57
SHA1

95a4772ae9f52310aee81277410700373966db9f
SHA256

bac1110e9a947d74ee88ea32544e2e27c9abd26dfcbe5c6f5eeca2e8ea30510b
SHA512

41a7a9094c1a24740714c7c67efe43508c5f21cb6f4d48d501c7a874653b918787916bb5c4ed074b7c313f9c453aa05ab0e929225f17537974517beba9a3f787
SSDEEP

3072:aqJogYkcSNm9V7D7lxR1NlEZeHzyzosvxfxST:aq2kc4m9tDJQKzWvxJ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\6oook9hg8.README.txt

Ransom Note

———————————CAUTION, PLEASE———————————— ֎֎֎ All your files have been stolen and encrypted ֎֎֎ You have to pay ransom otherwise all the data will be leaked on the Internet as well as stay encrypted on your PC and the whole domain. ———> WHAT WE DO RECOMMEND: DO NOT RECOVER any FILES on your own, IT CAN LEAD to irreversible consequences! Your personal DECRYPTION ID: XXXXXXXXXXXXXXX ———> WHAT WE GUARANTEE YOU: 3 files free decryption as a tool validation. We provide you with a decryption tool. We delete all your data and send proofs. We save your reputation, NO data leaks. We share our vulnerability report with you. ———> WHAT THE REASON: NO other reason except your MONEY! Right now your have a chance to save your business. Feel free to contact us. https://getsession.org/ 058a0295752970d65fe9f131cb26314cf76bf3b5bfbd8ac1fb9b54d31424fff332

URLs

https://getsession.org/

Signatures

Renames multiple (627) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.6oook9hg8	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.6oook9hg8\ = "6oook9hg8"	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6oook9hg8\DefaultIcon	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6oook9hg8	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6oook9hg8\DefaultIcon\ = "C:\\ProgramData\\6oook9hg8.ico"	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

pid	Process
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeDebugPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: 36	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeImpersonatePrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeIncBasePriorityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeIncreaseQuotaPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: 33	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeManageVolumePrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeProfSingleProcessPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeRestorePrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSystemProfilePrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeTakeOwnershipPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeShutdownPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeDebugPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeBackupPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
Token: SeSecurityPrivilege	1244	2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_3225d6727350498c0864872ba41ead57_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\YYYYYYYYYYY

Filesize
129B

MD5
29de569677676271aae4ea4338f74eb0

SHA1
7e554dab12fae9c06c366cd7ecc1d2f28f371a40

SHA256
d49a0c411c83f2365ec5715603e949fc539ff0ef61bd5580bdc9082139257212

SHA512
a83b6968b9a28dc82a330bd98e26f6c07fd111fb1a2e3debc80ada7756ed9a4a10afeb613888d9edcf0f9fa051c0e1b237208c96c5cdb88b0b5563ff58d55bbb

Download Submit
C:\6oook9hg8.README.txt

Filesize
954B

MD5
a86c8b4bb1c807febae793e944229191

SHA1
b284eb3f35a47010c8bb752dd36bca7f2e4c8f47

SHA256
23710ed2b331975396c5c4cbc1e358427c54d9fc276df59bdefd6c1c56a4d079

SHA512
04350c4e9eea8e2d5382a2dca436781390248ae4f3eccdddc602e6550ebdfc71c93f5e018c8d98a4591f3ca6ecf275453a1d147cd8208084a9976812698c0c3c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\DDDDDDDDDDD

Filesize
129B

MD5
2e794ab5fd4dc3d350ba23ada0687361

SHA1
201a5d09d4eb6d317ca9f57be245f6a5c78bdf12

SHA256
74c431de8e60c25c55a1f690abd62f6f2a6025cdf9ce267ca666ca9ae5eaf494

SHA512
67546589040bcf24813027aa11d14a84fe98bccf95a20143e6f53cc8c8fb61012a5a983c5237db628cf19dd27a5124b6b9a2490ead042959fcaf2d67956d61e0

Download Submit
memory/1244-0-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/1244-2-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/1244-1-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download