Analysis Overview
SHA256
e44345e64dc202f0226bfcf5c8a77446f9242debffa2d6e8eca14a1613b11794
Threat Level: Known bad
The file 2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
UPX packed file
Drops file in System32 directory
Program crash
Unsigned PE
Checks processor information in registry
Enumerates system info in registry
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-16 11:36
Signatures
Blackmatter family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-16 11:36
Reported
2023-05-16 11:38
Platform
win7-20230220-en
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-16 11:36
Reported
2023-05-16 11:38
Platform
win10v2004-20230220-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CC18D2C3-DBDA-4CE2-9AE4-16AC98440E1E}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{439909DC-64A2-4454-9DF5-1DBD3B5A9462}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-15_713ff075b572353ea0b1a010a905a16c_darkside.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2664 -ip 2664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.78.74.40.in-addr.arpa | udp |