5fc30ad2bc0d586a9b21fab26e66ef52ace6eb7ce7fc22c3a693a9ec9669ae05

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Size

150KB
MD5

0ad4f1567592a3d73ec61e461f7bce4c
SHA1

842ba1ad3799c0e65dafce7e71c0f4585e26443f
SHA256

5fc30ad2bc0d586a9b21fab26e66ef52ace6eb7ce7fc22c3a693a9ec9669ae05
SHA512

99cc76d1e5ca57aeeaea2154587a95b8e043c9e713636f93574945cf25cafa76cd1a8a7f4ff72e2244c3ff26220aecbc1df76dc791468142baa601c4a7f19b5d
SSDEEP

3072:g6glyuxE4GsUPnliByocWepeKNHOpEu/vpmtO:g6gDBGpvEByocWegUWZ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\3wHht2h41.README.txt

Ransom Note

+-----------------------------------------------------------------------------------------------------------------------------------------------+ | --> WARNING <-- | | Your data are stolen and encrypted! | | | | The data will be published on ONION website if you do not pay the ransom! | | | | What guarantees that we won't cheat you? | | | | We are not interested in politics. We are interested in money! | | | | Once you pay for the decryption program, we will give it to you immediately, it is fully automatic. | | Life is too short to be sad. Don't be sad, money is just paper. | | | | We're just as interested in giving you the program. | | Our reputation is very important to us. We attack companies all over the world, and there is not a single dissatisfied victim after payment.| | | | You can send us a file up to 5 megabyte in size and we will decrypt it for free. | | | | You need to contact us by email: | | | -> [email protected] | -> [email protected] | | | | Your personal DECRYPTION MASTER_ID: F7B87B84AFBCA1B10645C837638D3FB9 | | | | Warning! Do not DELETE or MODIFY any files | | | +-----------------------------------------------------------------------------------------------------------------------------------------------+

Emails

[email protected]

Signatures

Renames multiple (592) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

pid	Process
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

pid	Process
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeDebugPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: 36	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeImpersonatePrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeIncBasePriorityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeIncreaseQuotaPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: 33	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeManageVolumePrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeProfSingleProcessPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeRestorePrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSystemProfilePrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeTakeOwnershipPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeShutdownPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeDebugPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeBackupPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
Token: SeSecurityPrivilege	1260	2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ad4f1567592a3d73ec61e461f7bce4c_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini

Filesize
129B

MD5
3ddc331cb7f8d01060ef8531ed4f1663

SHA1
4046c190a4b43d37c5bfba5690e12d69dbfc6e4d

SHA256
4b59ebd7b53efbb0fb751df2c64511569df0996a720c557d196d58c6fabe5860

SHA512
764ebbd242e68154e98f0c32982a3887945b4b5250b761c32abf4a64b8af8a04e40a9375a903b53413e895e9344cdde6a4f810941825c5966bc94a7c52883ab4

Download Submit
C:\3wHht2h41.README.txt

Filesize
4KB

MD5
d1b146b634de31f18f596a55070618b3

SHA1
759eab46c8f7305a0784b37129b06c7a5393dbcf

SHA256
7b5881897bcc08ead4e72a48ac57ea65c7edb0ffac796c494178078da8b04dfd

SHA512
be4c6095b77de156474c512eceb54a4df4f4d59574c920bd9e1fa2ec08d8fab3b0b6a70fb5739c77db2f07fed34bedc1951ccd9d26eeb4f9e01c801db4f18f1a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\DDDDDDDDDDD

Filesize
129B

MD5
4516b1f532202516c610365ef0b95d76

SHA1
e20ddc3c4368943896ff21c1a976621500c0e4c1

SHA256
63958be0e61e4c6b137279fa04e318e70849ae0b42ebd7560adacb9873e1cc4f

SHA512
51e2720386acb9e4840c7a2c36014cca262cb0ec08aeb43d0a3044b9bf2bc837ec48c829d31e5e79910aadae6629007c4f271728544a65df1493b9a2bf9fcbfb

Download Submit
memory/1260-2-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/1260-1-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/1260-0-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download