4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc

General

Target

2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Size

150KB
MD5

8911139e0686509cbf44954ba2ba6675
SHA1

f16aad9a562b1de55e33b2de23abaa7eb0a4a5c7
SHA256

4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc
SHA512

d20a28ac9987409dfb450740f904138e7ffb5ce16cb7ae13b29061b990136e472cef56427e35a337d07d100e6a6c3ddf08c82a6d402f97c468b73ad8c2d4f6a1
SSDEEP

3072:AqJogYkcSNm9V7D5KbhIJ+2EE9ZzoZmT:Aq2kc4m9tD5KmJ0EnMZ

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\tMAXi4m5p.README.txt

Ransom Note

Hello my dear friend. Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours. Your data is encrypted Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us to this e-mail: [email protected] In case of no answer in 24 hours write us to this backup e-mail: [email protected] Check your e-mail Spam or Junk folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. What are your recommendations? - Never change the name of the files, if you want to manipulate the files, be sure to back them up. If there are any problems with the files, we are not responsible for them. - Never work with intermediary companies because they charge you more money.Don't be afraid of us, just email us. Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Do not go to the police or FBI for help and do not tell anyone that we attacked you. They won't help and will only make your situation worse.

Emails

[email protected]

Signatures

Renames multiple (299) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

C217.tmp

pid process

2896 C217.tmp
Executes dropped EXE 1 IoCs

Processes:

C217.tmp

pid process

2896 C217.tmp
Loads dropped DLL 1 IoCs

Processes:

2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

pid process

1700 2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

C217.tmp

pid process

2896 C217.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exeC217.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C217.tmp

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

pid	process
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

C217.tmp

pid	process
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp
2896	C217.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeDebugPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: 36	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeImpersonatePrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeIncBasePriorityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeIncreaseQuotaPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: 33	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeManageVolumePrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeProfSingleProcessPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeRestorePrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSystemProfilePrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeTakeOwnershipPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeShutdownPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeDebugPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeBackupPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
Token: SeSecurityPrivilege	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exeC217.tmp

description	pid	process	target process
PID 1700 wrote to memory of 2896	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe	C217.tmp
PID 1700 wrote to memory of 2896	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe	C217.tmp
PID 1700 wrote to memory of 2896	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe	C217.tmp
PID 1700 wrote to memory of 2896	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe	C217.tmp
PID 1700 wrote to memory of 2896	1700	2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe	C217.tmp
PID 2896 wrote to memory of 1340	2896	C217.tmp	cmd.exe
PID 2896 wrote to memory of 1340	2896	C217.tmp	cmd.exe
PID 2896 wrote to memory of 1340	2896	C217.tmp	cmd.exe
PID 2896 wrote to memory of 1340	2896	C217.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\ProgramData\C217.tmp
  "C:\ProgramData\C217.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C217.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\BBBBBBBBBBB

Filesize
129B

MD5
4c2332a90966adec3a6bfe977b149119

SHA1
4b2e1628d30a1cf1d1f4547d1af06103df235f61

SHA256
1bbc7a5184d086677a11690b7a8488fba0ce32d2b69a91f95a1fad402366c011

SHA512
7c4e598fa5a58e7e8ec26a026f5a8c92a2e14dd919aff0235ee86c91b3571c2e06789e36cd18ba18e8c7f2e635137d4577b2559e81de5faae6682a40521c7edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
150KB

MD5
d5c190f812373e98aad30d7ca53c322e

SHA1
bd77f429fabd5bbc7629c279992e3041ee16c451

SHA256
556dc8b5bb5e2e65b4a64b3471d0def633fd7185e27cf8be8f460c5a11834845

SHA512
c534c3812746412f0dc5841e708fc95500a7f764d75357762a83d4bd480ba47fd8972f588b9caaafa0586c77d3e6feada6223b04e81cc334d1b10290ce43b917

Download Submit
C:\tMAXi4m5p.README.txt

Filesize
3KB

MD5
3b2c7f51fe80e142a7dbbf0d3565e398

SHA1
dc32f374357a8057bbe023e9e2ba9755b04388b3

SHA256
8ce7b3a993e3ab7bec11db06274026cc24cd6f04649db19e0b8a2e3c64177803

SHA512
0fe73ea135598b8ad13aa50b11e6ef82a2306e7bb66cf4f0b93747b64d233f42de049a32ff75b1bc315aa2b6f29c3524cfc467ba6782f2cbbbee526d39e88318

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\FFFFFFFFFFF

Filesize
129B

MD5
c7669cb33bf8d81292321f5e2c20964b

SHA1
6ff5f583cadb9e840007ce19068a87909d2b2809

SHA256
74c49ad83a07fed57be72fa849ef8b9dfeb8ccf1d4480436c17877ecd1b8e913

SHA512
73fa2b7e67d68c83377b9e48b14b93506aedb5ef9472b351006fd33335543c8269c96c3018345f8bb0bc4cced1834565048ae3c93c952ad67408224fd21034c3

Download Submit
\ProgramData\C217.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1700-0-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2896-831-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2896-833-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2896-832-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2896-830-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2896-828-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2896-863-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2896-862-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads