be42cb8a1e01406a093980ce7d0e108a7faaf579ca4b72a622b4e27bedf38cad

Analysis

max time kernel
66s
max time network
22s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Size

145KB
MD5

93ba419d9c5319fddcd6839a38225c81
SHA1

617d278f7a70b61db75df91bb35d63a5fa0efad3
SHA256

be42cb8a1e01406a093980ce7d0e108a7faaf579ca4b72a622b4e27bedf38cad
SHA512

214900f6ceed5b8f28142c5f21852c092275da412b9f1ed1de269ca694f466f3ece048f52461e25bc9c80b1468ad1d3f386b60bf98f8e7d17fde2514052d2366
SSDEEP

1536:wzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDc7KjOo5QCVICtgzRsLgenUedta:PqJogYkcSNm9V7Dcmio5rVprLKWf8LT

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1740	9675.tmp

Executes dropped EXE 1 IoCs

pid	Process
1740	9675.tmp

Loads dropped DLL 1 IoCs

pid	Process
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\0hKkZEcBc.bmp"	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\0hKkZEcBc.bmp"	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1740	9675.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9675.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WallpaperStyle = "10"	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\0hKkZEcBc\DefaultIcon\ = "C:\\ProgramData\\0hKkZEcBc.ico"	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.0hKkZEcBc	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.0hKkZEcBc\ = "0hKkZEcBc"	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\0hKkZEcBc\DefaultIcon	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\0hKkZEcBc	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp
1740	9675.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeDebugPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: 36	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeImpersonatePrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeIncBasePriorityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeIncreaseQuotaPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: 33	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeManageVolumePrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeProfSingleProcessPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeRestorePrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSystemProfilePrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeTakeOwnershipPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeShutdownPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeDebugPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeBackupPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
Token: SeSecurityPrivilege	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1740	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe	32
PID 1096 wrote to memory of 1740	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe	32
PID 1096 wrote to memory of 1740	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe	32
PID 1096 wrote to memory of 1740	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe	32
PID 1096 wrote to memory of 1740	1096	2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe	32
PID 1740 wrote to memory of 1884	1740	9675.tmp	33
PID 1740 wrote to memory of 1884	1740	9675.tmp	33
PID 1740 wrote to memory of 1884	1740	9675.tmp	33
PID 1740 wrote to memory of 1884	1740	9675.tmp	33

C:\Users\Admin\AppData\Local\Temp\2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\ProgramData\9675.tmp
  "C:\ProgramData\9675.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9675.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini

Filesize
129B

MD5
cbf1c58aed43db853a906f9a6d2de1b1

SHA1
4d9adb28a6579a2c9f7981c5639aa8312bf42103

SHA256
458007ebde48288c08312380fb44afcfc0926f4bc6932e6e13793e0cd6306f50

SHA512
d9577429f7dd1bde19ed7c088cf0efeb59ac0bd4ecd9bd53c4ea7dab009a95518610f1769d73e63aa667e82f2fad665131e96739f240c792b7ccc9b594e4988b

Download Submit
C:\0hKkZEcBc.README.txt

Filesize
395B

MD5
8cce7f5f3be9f292153069bb624e8dbf

SHA1
ed4bd1856859441581d99a60685c58f68342c847

SHA256
43c3cf66423de7c10bd7eff9807063b16d864b018a6cb2e9b1682dff36ed9911

SHA512
6944f4b855a76a5288adacd930aa3a9fa15f78a1658b4f09682adb1e5d277ff212cabacc369be3447957569ee3103a4a5532f57476a5479fbac761a764e6e9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
145KB

MD5
883918ad56e9cf7850c42717e2491546

SHA1
577b92814fa1a8dafe99cdedd9cd627b67e00f7f

SHA256
7c5a279c6a500991c1f23199daaed453b3bca8ffd18f80e303433af847600780

SHA512
203595ec17e1e3a5bbf95c8ac721a62bb3d93561add4b4d3a981ee15500dc2002c55020452b021897197461beb6bc656a70c7d8175d7fba0531f582d3642f2da

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\FFFFFFFFFFF

Filesize
129B

MD5
6849bdc4a1b1b40280820cfae84aab04

SHA1
874f2a004314e382030c199528bce0428491a080

SHA256
eee35350e51cc336860604bd61b0404864a87265f0569961c9e4bb52797cd9cb

SHA512
a16fd05e573f3d16f92aea91ce50f6a7362c6170ed5d1d7be4d2c94946c31fc0603c8b15474d3543ba158d839f5239d4d1ed0ace0101b79119ac233ebaa5ec6b

Download Submit
\ProgramData\9675.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1096-0-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/1740-896-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1740-898-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download