Resubmissions

26-02-2024 07:34

240226-jd6mbsgf3z 10

26-01-2024 04:29

240126-e4cpqafcdp 10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 04:29

General

  • Target

    2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe

  • Size

    145KB

  • MD5

    6a801424860b7e86639254592bbc84b1

  • SHA1

    6e5a6170260e06a00c90e975fe8c98489b7a0d03

  • SHA256

    6fcee00c908b40aac5a7e50007f485fc35ebfbdc2ae6a6d5e0a1f37636caca75

  • SHA512

    75740fd2f7094a1b9c55d84caf5ff620c888c3e13ce1ecb983c978e2f5dbaa07d4cae5d9cd5563f85e96cd027d11def5beb6fb6607b9dc219e67196fe0ebb92e

  • SSDEEP

    3072:k6glyuxE4GsUPnliByocWep/YiIp6tcPS:k6gDBGpvEByocWe9YGu6

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\ProgramData\1822.tmp
      "C:\ProgramData\1822.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1822.tmp >> NUL
        3⤵
          PID:868
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x148
      1⤵
        PID:2276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini

        Filesize

        129B

        MD5

        e4edb58eecc035441deb3ba9150386a6

        SHA1

        8763b43f5ed1963ab7f22d5457a3b6608e19fd29

        SHA256

        4d421f61d287c2cc33ae3ddac93db2789335fc00adb2bc063afd0a204ecfdf92

        SHA512

        96b303ddcd302fb2e1ae949609b2bd7592c315421a87370e1291f9a7ea1b1ff908c0099e2bfa75bc9f67ee685cc5e800533d5d01100ff5a61de7716309761b9a

      • C:\ProgramData\1822.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        145KB

        MD5

        727d3f29e6adb4146d4bb2da56ebb383

        SHA1

        4d1ab6872b780b233207b50ed26d9112272a86b4

        SHA256

        ddc96749536db80ffb9d5362481f6c2018189eff5cd6a866ddb9cbed600d6ca9

        SHA512

        bc2114a79cb06862bce5a49f25258385f07e0fd286ce50404ee63046fb38d39982a21df6f13ee98319c340d3a036dae932c6972f8bea58fbca60fad0cc3822a0

      • F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        b775aeecc7cbdc25835ea12755270ca1

        SHA1

        6bdd56a0433d2b132a8e0f17bfcb04681020fc04

        SHA256

        5a0798fa947980e6bd8d61f90a223836bfe5406151d59fa1fef05ddcde3e3469

        SHA512

        3e22dd71da9d86d7e0d423eca4beadba4347ee449e327c913c5007c74110a43c60a77f38eb64e4dbe2e2757898ea13657812be4ef1611e3486e7bf27d209b10c

      • memory/2184-113-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/2184-111-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/2184-110-0x00000000021E0000-0x0000000002220000-memory.dmp

        Filesize

        256KB

      • memory/2184-108-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/2184-114-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/2184-142-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/2184-143-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/2184-144-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/2496-0-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

        Filesize

        256KB