4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc

General

Target

202409298911139e0686509cbf44954ba2ba6675darkside.exe
Size

150KB
MD5

8911139e0686509cbf44954ba2ba6675
SHA1

f16aad9a562b1de55e33b2de23abaa7eb0a4a5c7
SHA256

4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc
SHA512

d20a28ac9987409dfb450740f904138e7ffb5ce16cb7ae13b29061b990136e472cef56427e35a337d07d100e6a6c3ddf08c82a6d402f97c468b73ad8c2d4f6a1
SSDEEP

3072:AqJogYkcSNm9V7D5KbhIJ+2EE9ZzoZmT:Aq2kc4m9tD5KmJ0EnMZ

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\tMAXi4m5p.README.txt

Ransom Note

Hello my dear friend. Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours. Your data is encrypted Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us to this e-mail: [email protected] In case of no answer in 24 hours write us to this backup e-mail: [email protected] Check your e-mail Spam or Junk folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. What are your recommendations? - Never change the name of the files, if you want to manipulate the files, be sure to back them up. If there are any problems with the files, we are not responsible for them. - Never work with intermediary companies because they charge you more money.Don't be afraid of us, just email us. Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Do not go to the police or FBI for help and do not tell anyone that we attacked you. They won't help and will only make your situation worse.

Emails

[email protected]

Signatures

Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

77DE.tmp

pid process

692 77DE.tmp
Executes dropped EXE 1 IoCs

Processes:

77DE.tmp

pid process

692 77DE.tmp
Loads dropped DLL 1 IoCs

Processes:

202409298911139e0686509cbf44954ba2ba6675darkside.exe

pid process

2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

202409298911139e0686509cbf44954ba2ba6675darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	202409298911139e0686509cbf44954ba2ba6675darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	202409298911139e0686509cbf44954ba2ba6675darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

77DE.tmp

pid process

692 77DE.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

202409298911139e0686509cbf44954ba2ba6675darkside.exe77DE.tmpcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77DE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

202409298911139e0686509cbf44954ba2ba6675darkside.exe

pid	process
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

77DE.tmp

pid	process
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp
692	77DE.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

202409298911139e0686509cbf44954ba2ba6675darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeDebugPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: 36	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeImpersonatePrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeIncBasePriorityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeIncreaseQuotaPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: 33	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeManageVolumePrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeProfSingleProcessPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeRestorePrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSystemProfilePrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeTakeOwnershipPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeShutdownPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeDebugPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeBackupPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe
Token: SeSecurityPrivilege	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

202409298911139e0686509cbf44954ba2ba6675darkside.exe77DE.tmp

description	pid	process	target process
PID 2748 wrote to memory of 692	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe	77DE.tmp
PID 2748 wrote to memory of 692	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe	77DE.tmp
PID 2748 wrote to memory of 692	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe	77DE.tmp
PID 2748 wrote to memory of 692	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe	77DE.tmp
PID 2748 wrote to memory of 692	2748	202409298911139e0686509cbf44954ba2ba6675darkside.exe	77DE.tmp
PID 692 wrote to memory of 888	692	77DE.tmp	cmd.exe
PID 692 wrote to memory of 888	692	77DE.tmp	cmd.exe
PID 692 wrote to memory of 888	692	77DE.tmp	cmd.exe
PID 692 wrote to memory of 888	692	77DE.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe
"C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\ProgramData\77DE.tmp
  "C:\ProgramData\77DE.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\77DE.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini

Filesize
129B

MD5
788ea1a02f43ffdf92c76e9806e95022

SHA1
0b872260275da92cd17cdb6629994c5c09bbc383

SHA256
7787b00e63900b4927b4f6c11897ba988349549e81aa809d5505fd553889b753

SHA512
cb8efbb790a32b2c848cad8bb4542df39a79601106421c26b9f7e66be899351dedea996f7eafcb7ab31108eccccf996b562687e1352eaf4852b22c189f283ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
150KB

MD5
31883040f66a7c39887b7e9e08e282b7

SHA1
2ed0d09006c1911c3ad960676ba702cf2265eab7

SHA256
a22160da1af07685fce9a5fc86b5b82c461956f23f333c9b999013a8412b6756

SHA512
fd6f3329e3ec8633d4d55e1214321e73e05a62069b599ad6bba714c715fc30eb259dcfda4f91efd4fc8f7967c5306ffe94ef16181bc6b5673b2368ff6e83612c

Download Submit
C:\tMAXi4m5p.README.txt

Filesize
3KB

MD5
3b2c7f51fe80e142a7dbbf0d3565e398

SHA1
dc32f374357a8057bbe023e9e2ba9755b04388b3

SHA256
8ce7b3a993e3ab7bec11db06274026cc24cd6f04649db19e0b8a2e3c64177803

SHA512
0fe73ea135598b8ad13aa50b11e6ef82a2306e7bb66cf4f0b93747b64d233f42de049a32ff75b1bc315aa2b6f29c3524cfc467ba6782f2cbbbee526d39e88318

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\DDDDDDDDDDD

Filesize
129B

MD5
64d1cc450aedf43f70872c8412d19e1e

SHA1
cb6577cc8d0369d4ace15e5355fca72d73c4fe28

SHA256
86d015b50d4f996c655d0569c53b07f333397ee5fe8b44873dd620ef63c6ccc9

SHA512
17a0bfa2cc7e4a8cae71fd49da5b7631d1a87d721b1027350136f53e356d4ea2172c93ba7157cb11a08c040dd2fce8ef694f17ecd1bbfb3b5e25a0b8ac0ffd49

Download Submit
\ProgramData\77DE.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/692-842-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/692-845-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/692-846-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/692-843-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2748-0-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads