5fc30ad2bc0d586a9b21fab26e66ef52ace6eb7ce7fc22c3a693a9ec9669ae05

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Size

150KB
MD5

0ad4f1567592a3d73ec61e461f7bce4c
SHA1

842ba1ad3799c0e65dafce7e71c0f4585e26443f
SHA256

5fc30ad2bc0d586a9b21fab26e66ef52ace6eb7ce7fc22c3a693a9ec9669ae05
SHA512

99cc76d1e5ca57aeeaea2154587a95b8e043c9e713636f93574945cf25cafa76cd1a8a7f4ff72e2244c3ff26220aecbc1df76dc791468142baa601c4a7f19b5d
SSDEEP

3072:g6glyuxE4GsUPnliByocWepeKNHOpEu/vpmtO:g6gDBGpvEByocWegUWZ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\3wHht2h41.README.txt

Ransom Note

+-----------------------------------------------------------------------------------------------------------------------------------------------+ | --> WARNING <-- | | Your data are stolen and encrypted! | | | | The data will be published on ONION website if you do not pay the ransom! | | | | What guarantees that we won't cheat you? | | | | We are not interested in politics. We are interested in money! | | | | Once you pay for the decryption program, we will give it to you immediately, it is fully automatic. | | Life is too short to be sad. Don't be sad, money is just paper. | | | | We're just as interested in giving you the program. | | Our reputation is very important to us. We attack companies all over the world, and there is not a single dissatisfied victim after payment.| | | | You can send us a file up to 5 megabyte in size and we will decrypt it for free. | | | | You need to contact us by email: | | | -> [email protected] | -> [email protected] | | | | Your personal DECRYPTION MASTER_ID: F7B87B84AFBCA1B1A0E885C51CB2AB8C | | | | Warning! Do not DELETE or MODIFY any files | | | +-----------------------------------------------------------------------------------------------------------------------------------------------+

Emails

[email protected]

Signatures

Renames multiple (366) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

pid	Process
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

pid	Process
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeDebugPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: 36	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeImpersonatePrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeIncBasePriorityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeIncreaseQuotaPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: 33	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeManageVolumePrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeProfSingleProcessPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeRestorePrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSystemProfilePrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeTakeOwnershipPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeShutdownPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeDebugPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1876	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini

Filesize
129B

MD5
b15776c60638b32f377240a71b073300

SHA1
f0d25b771ba75eb317dc255f763c531e34cf362c

SHA256
65f841d5e423e54b5f701988e7c9b67b32d08a947bdae6318f5b2d652f4a3a4a

SHA512
c7b29f042d84c37d2cc5922ac4cc3c32cce418e6468169a326905d2695fef47c94e610a34c67312103a315409397bd6484a6d832a1b2e65c1c2ec41edf279d25

Download Submit
C:\3wHht2h41.README.txt

Filesize
4KB

MD5
37b5a486ae6dca463979deef33fb93ee

SHA1
24cca8e6719b833aa391efd80e21fc6a55c8d38d

SHA256
191bed0bcd2f6bd5ce6fc801e5313a8c55c347de2930ee356821cf9579a730a2

SHA512
dd7372814491cebbac173372e8a45f8819e1731e68bd5c674e915a253be3575e716a8fcbda05185cfe36d69a6ba2fbf3b81b28cff54d32120dfc98d218cc8e04

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\CCCCCCCCCCC

Filesize
129B

MD5
a97f1a8a8876e5befdc77c68d9cee3a4

SHA1
1098256c1adcccac02e21210cb4471d19f0b85f3

SHA256
341025b10da8b704dde5831953f49f30761fdddfa4b062f8879fc081ead96dc9

SHA512
f826993c79b56454ab1de0ab14f1e6b08a9ec1c632cf2df6cc0add93d07169a81b1dbf00ac0321e5b58f5d853c46c285c5259a7acf1e21b0e3e593b0081378a7

Download Submit
memory/1876-0-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download