6efed93758e3a905ccc68f75e2c01fff4e16b95325801b7576f640e1992f550e

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Size

148KB
MD5

95327cd72707256460a62f54aafb35d0
SHA1

b70ca69207f2efe3da247a8c88996b732d6c72a9
SHA256

6efed93758e3a905ccc68f75e2c01fff4e16b95325801b7576f640e1992f550e
SHA512

7f4b30575e0cc1352453681a546dd2148219942779f09fb7b85afa43fb7938a7aa36f6d7a1bdd4510ad4442a156ebe4602d2dd50754da021f9698bcd68045331
SSDEEP

3072:f6glyuxE4GsUPnliByocWepFWGvh+gZqVoqe:f6gDBGpvEByocWeNvh+RoZ

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\AP8hWv7RB.README.txt

Ransom Note

Ni hao! Your data are stolen and encrypted. In case of nonpayment - all information will be sold or made publicly accessible, and we will also continue to attack your servers. Compared to other ransomware we charge a lot less, so don't be stingy!:-) If you pay - we will provide you with decryption software and remove your data from our servers. We will also let you know about the vulnerability in your servers that we used to infiltrate your network. WARNING! Do not delete or modify any files, it can lead to recovery problems! You can contact us using Session messenger without registration and sms https://getsession.org/download My Session ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f You also can contact us using Tox messenger without registration and SMS https://tox.chat/download.html My Tox ID: BF2FBB22C4CFD24EF9AFE2CAB694D8C1E3E2340393E846514659C59D8C52F43CBD76209603AE You can send us any 1 file for free decryption. Good luck! 您好！您的数据已被窃取并加密。如果不付款，所有信息将被出售或公开，我们将继续攻击您的服务器。与其他勒索软件相比，我们的收费要低得多，所以不要小气！如果您付款，我们将为您提供解密软件，并从我们的服务器上删除您的数据。我们还会让你知道我们利用你服务器上的漏洞来渗透你的网络。警告：请勿删除或修改任何文件，否则可能导致恢复问题！您可以使用无需注册的会话信使和短信 https://getsession.org/download 与我们联系。我的会话 ID: 05839c6cce78c3f3043e7a65c27e881cbb9efbda3bab942d273a496876340b254f 您也可以使用 Tox 使者（无需注册）和 SMS https://tox.chat/download.html 与我们联系。我的 ID: BF2FBB22C4C4CFD24EF9AF9AFE2CAB694D8C1E3E2340393E846514659C59C59D8C52F43CBD76209603AE 您可以将任意 1 个文件发送给我们进行免费转录。祝您好运

URLs

https://getsession.org/download

https://tox.chat/download.html

Signatures

Renames multiple (8016) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
776	6FA4.tmp

Executes dropped EXE 1 IoCs

pid	Process
776	6FA4.tmp

Loads dropped DLL 9 IoCs

pid	Process
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AP8hWv7RB.bmp"	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AP8hWv7RB.bmp"	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
776	6FA4.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.XML	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02724_.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241043.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18247_.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File created	C:\Program Files\Java\jre7\lib\AP8hWv7RB.README.txt	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\AP8hWv7RB.README.txt	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00233_.WMF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB4.BDR.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01251_.WMF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGDOTS.DPV.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\AP8hWv7RB.README.txt	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00014_.WMF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\THMBNAIL.PNG.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\AP8hWv7RB.README.txt	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6FA4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "10"	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AP8hWv7RB\DefaultIcon\ = "C:\\ProgramData\\AP8hWv7RB.ico"	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AP8hWv7RB	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AP8hWv7RB\ = "AP8hWv7RB"	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AP8hWv7RB\DefaultIcon	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp
776	6FA4.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeDebugPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: 36	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeImpersonatePrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeIncBasePriorityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeIncreaseQuotaPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: 33	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeManageVolumePrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeProfSingleProcessPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeRestorePrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSystemProfilePrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeTakeOwnershipPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeShutdownPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeDebugPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeBackupPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
Token: SeSecurityPrivilege	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 776	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe	33
PID 2796 wrote to memory of 776	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe	33
PID 2796 wrote to memory of 776	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe	33
PID 2796 wrote to memory of 776	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe	33
PID 2796 wrote to memory of 776	2796	2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe	33
PID 776 wrote to memory of 1792	776	6FA4.tmp	34
PID 776 wrote to memory of 1792	776	6FA4.tmp	34
PID 776 wrote to memory of 1792	776	6FA4.tmp	34
PID 776 wrote to memory of 1792	776	6FA4.tmp	34

C:\Users\Admin\AppData\Local\Temp\2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_95327cd72707256460a62f54aafb35d0_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\ProgramData\6FA4.tmp
  "C:\ProgramData\6FA4.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6FA4.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD

Filesize
129B

MD5
edb541ea222940685c1e950e22e79b3b

SHA1
153ff247ae0b035c4edb28c12e95dc63a2100cf3

SHA256
83c43fe26679547e89b907238d2061c4fbdd71b8b32d9a0e7081e1e7d9427820

SHA512
12287f351427c6b17afc05f27ec5b56cd1b7fe330d0405167bfe3b498b4a7d9ada34a3199e66135742af1171b7b6881d699b09f5f610106adceb4f2c00a47169

Download Submit
C:\AP8hWv7RB.README.txt

Filesize
2KB

MD5
d16734b43544f0e05d570563c001e4eb

SHA1
73cef7171e473b7ebbec10511baa694ba51d38ae

SHA256
a0514422de97e9ebcd6f4fd7e1de1e978a67abe298aa7be582f653fedd4bceff

SHA512
f321cb9b4a6df1e3dd3ff1163ac447e87543d2ed77079d07a45a11069b95d98ef4448a1d5f5a971f8ca69ddede80eff17d0ccf3784438a6ccd9e638659d66004

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
148KB

MD5
6f6d289942724d690dde8c99d84984e5

SHA1
e9fb3537b767be5e6539ecbbb0303185e36197cb

SHA256
fe3564219c42eb81e1a04c11c064d922b923645a1c4248317ccc5eab6ee992d3

SHA512
d4156d846fdf44bf3dcbdd81ec314b03829c79c9d5ad9a8d0ed1f33f6d8e4d2097357f6f63dd9ab85b755fc5d66012255495606ba3127b49a445e9909f02c2d6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD

Filesize
129B

MD5
85d9497349feccaf3a51d72035bd77c8

SHA1
a223b08a95732a80a764fc5c6c17f995c01afe68

SHA256
03d377d94eba6a9e2184b946cfcdbf2d38175f0c474ac84bdb7929bd3fdc4908

SHA512
2d2a023bd896048bd50093aff6b63fac520862ccd082dc4231f216cd062fa8bd3af6570ae31362fab728ca429a552109d0791ade4a16c438c53ec352d3e12331

Download Submit
\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
4.7MB

MD5
61bffb5f57ad12f83ab64b7181829b34

SHA1
945d94fef51e0db76c2fd95ee22ed2767be0fe0b

SHA256
1dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846

SHA512
e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521

Download Submit
\ProgramData\6FA4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/776-11976-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/776-11978-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/776-11981-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/776-11980-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/776-11979-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/776-12011-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/776-12010-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2796-0-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download