7076b6c554055cb2061d240b670ac904ed5593892a7b99ac39a1b0bd5882e4aa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Size

148KB
MD5

543b24178d7aa05e2eeef7ad056d8311
SHA1

bb74278fce64674315889c09bfbf52c74185ae4b
SHA256

7076b6c554055cb2061d240b670ac904ed5593892a7b99ac39a1b0bd5882e4aa
SHA512

4c96d67e48ce55a45ad36e859e14b35ad49e5488a59a6f86e8ce6611aaae8c64eb19a2e350ccdeade11fb3352dcee55201ca8e27d12665f2dd1ae341534ca46c
SSDEEP

3072:f6glyuxE4GsUPnliByocWepFWGvh+gZqVoq:f6gDBGpvEByocWeNvh+Ro

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\AP8hWv7RB.README.txt

Ransom Note

Ni hao! Your data are stolen and encrypted. In case of nonpayment - all information will be sold or made publicly accessible, and we will also continue to attack your servers. Compared to other ransomware we charge a lot less, so don't be stingy!:-) If you pay - we will provide you with decryption software and remove your data from our servers. We will also let you know about the vulnerability in your servers that we used to infiltrate your network. WARNING! Do not delete or modify any files, it can lead to recovery problems! You can contact us using Session messenger without registration and sms https://getsession.org/download My Session ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f You also can contact us using Tox messenger without registration and SMS https://tox.chat/download.html My Tox ID: BF2FBB22C4CFD24EF9AFE2CAB694D8C1E3E2340393E846514659C59D8C52F43CBD76209603AE You can send us any 1 file for free decryption. Good luck! 您好！您的数据已被窃取并加密。如果不付款，所有信息将被出售或公开，我们将继续攻击您的服务器。与其他勒索软件相比，我们的收费要低得多，所以不要小气！如果您付款，我们将为您提供解密软件，并从我们的服务器上删除您的数据。我们还会让你知道我们利用你服务器上的漏洞来渗透你的网络。警告：请勿删除或修改任何文件，否则可能导致恢复问题！您可以使用无需注册的会话信使和短信 https://getsession.org/download 与我们联系。我的会话 ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f 您也可以使用 Tox 使者（无需注册）和 SMS https://tox.chat/download.html 与我们联系。我的 ID: BF2FBB22C4C4CFD24EF9AF9AFE2CAB694D8C1E3E2340393E846514659C59C59D8C52F43CBD76209603AE 您可以将任意 1 个文件发送给我们进行免费转录。祝您好运

URLs

https://getsession.org/download

https://tox.chat/download.html

Signatures

Renames multiple (8019) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2612	5909.tmp

Executes dropped EXE 1 IoCs

pid	Process
2612	5909.tmp

Loads dropped DLL 5 IoCs

pid	Process
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AP8hWv7RB.bmp"	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AP8hWv7RB.bmp"	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2612	5909.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBOB6.CHM.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\AP8hWv7RB.README.txt	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\AP8hWv7RB.README.txt	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\WET	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\AP8hWv7RB.README.txt	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\AP8hWv7RB.README.txt	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01636_.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00629_.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL075.XML	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174639.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\AP8hWv7RB.README.txt	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\Sidebar.exe.mui	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\LightSpirit.css.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\AP8hWv7RB.README.txt	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5909.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AP8hWv7RB\DefaultIcon	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AP8hWv7RB\DefaultIcon\ = "C:\\ProgramData\\AP8hWv7RB.ico"	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AP8hWv7RB	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AP8hWv7RB\ = "AP8hWv7RB"	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp
2612	5909.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeDebugPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: 36	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeImpersonatePrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeIncBasePriorityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeIncreaseQuotaPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: 33	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeManageVolumePrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeProfSingleProcessPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeRestorePrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSystemProfilePrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeTakeOwnershipPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeShutdownPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeDebugPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeBackupPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
Token: SeSecurityPrivilege	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2612	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe	33
PID 2456 wrote to memory of 2612	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe	33
PID 2456 wrote to memory of 2612	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe	33
PID 2456 wrote to memory of 2612	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe	33
PID 2456 wrote to memory of 2612	2456	2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe	33
PID 2612 wrote to memory of 2148	2612	5909.tmp	34
PID 2612 wrote to memory of 2148	2612	5909.tmp	34
PID 2612 wrote to memory of 2148	2612	5909.tmp	34
PID 2612 wrote to memory of 2148	2612	5909.tmp	34

C:\Users\Admin\AppData\Local\Temp\2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_543b24178d7aa05e2eeef7ad056d8311_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\ProgramData\5909.tmp
  "C:\ProgramData\5909.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5909.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini

Filesize
129B

MD5
a02f3948e97fad2bb009a373f980c787

SHA1
ea6463a5d33dc521c576dd1cd7b20c45b3e2ad09

SHA256
b9a878e51bddcc27f02555426efe7bdd2cafd81a701c17ecc6d8d491dbd9e9bd

SHA512
245f3b6eefc0879857f9a84e8d72699401b8dcf866eb30ddcec2df332d66b78cc86fe6605e2ccb629b91bbc9ea9ea89f0cba2c2c5877bd9f5455eef1268eaac5

Download Submit
C:\AP8hWv7RB.README.txt

Filesize
2KB

MD5
d16734b43544f0e05d570563c001e4eb

SHA1
73cef7171e473b7ebbec10511baa694ba51d38ae

SHA256
a0514422de97e9ebcd6f4fd7e1de1e978a67abe298aa7be582f653fedd4bceff

SHA512
f321cb9b4a6df1e3dd3ff1163ac447e87543d2ed77079d07a45a11069b95d98ef4448a1d5f5a971f8ca69ddede80eff17d0ccf3784438a6ccd9e638659d66004

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
148KB

MD5
0fd0a9e2f8baf2c2b657694d1b7b613a

SHA1
663ca4721fe7097527b23837070a0f05cf87c90f

SHA256
6e8fbdbccdcb076702eb87edfb8275a298e1889c03c63e09d0f96dca90062326

SHA512
bac8dc9ae95cc60103c3e2eda65745f174d5b84b7c0dabefbb235d4ce0697ee5d425d946ec9817eaa48df5403b1d2e90f5b2c806af6e50c1723654c923bcef78

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\PPPPPPPPPPP

Filesize
129B

MD5
1d466e1e205bf3a392213a3e07bf7518

SHA1
312a0e585d7e491bcd0a4bb76851eb94ba4e1a30

SHA256
8c1691ecda4bc3bf74d8c8b368d07a0c8d303e4ba6666e817e54348d42e14f47

SHA512
ed6db90f202494d9e248558695e04d76459e840e1c07922a507395ab1759629c344cdff8b943e04c27789757d8333b58c07a53cafc898925908d852f74b6225e

Download Submit
\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
4.7MB

MD5
61bffb5f57ad12f83ab64b7181829b34

SHA1
945d94fef51e0db76c2fd95ee22ed2767be0fe0b

SHA256
1dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846

SHA512
e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521

Download Submit
\ProgramData\5909.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2456-0-0x0000000000A30000-0x0000000000A70000-memory.dmp

Filesize
256KB

Download
memory/2612-11975-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2612-11979-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2612-11978-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/2612-11977-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/2612-11980-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2612-12010-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2612-12009-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download