Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2024 04:29
Behavioral task
behavioral1
Sample
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe
-
Size
145KB
-
MD5
6a801424860b7e86639254592bbc84b1
-
SHA1
6e5a6170260e06a00c90e975fe8c98489b7a0d03
-
SHA256
6fcee00c908b40aac5a7e50007f485fc35ebfbdc2ae6a6d5e0a1f37636caca75
-
SHA512
75740fd2f7094a1b9c55d84caf5ff620c888c3e13ce1ecb983c978e2f5dbaa07d4cae5d9cd5563f85e96cd027d11def5beb6fb6607b9dc219e67196fe0ebb92e
-
SSDEEP
3072:k6glyuxE4GsUPnliByocWep/YiIp6tcPS:k6gDBGpvEByocWe9YGu6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C927.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C927.tmp -
Deletes itself 1 IoCs
Processes:
C927.tmppid Process 2516 C927.tmp -
Executes dropped EXE 1 IoCs
Processes:
C927.tmppid Process 2516 C927.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exeC927.tmppid Process 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 2516 C927.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exepid Process 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
C927.tmppid Process 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp 2516 C927.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeDebugPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: 36 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeImpersonatePrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeIncBasePriorityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeIncreaseQuotaPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: 33 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeManageVolumePrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeProfSingleProcessPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeRestorePrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSystemProfilePrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeTakeOwnershipPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeShutdownPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeDebugPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeBackupPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe Token: SeSecurityPrivilege 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exeC927.tmpdescription pid Process procid_target PID 4400 wrote to memory of 2516 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 96 PID 4400 wrote to memory of 2516 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 96 PID 4400 wrote to memory of 2516 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 96 PID 4400 wrote to memory of 2516 4400 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe 96 PID 2516 wrote to memory of 4616 2516 C927.tmp 97 PID 2516 wrote to memory of 4616 2516 C927.tmp 97 PID 2516 wrote to memory of 4616 2516 C927.tmp 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\ProgramData\C927.tmp"C:\ProgramData\C927.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C927.tmp >> NUL3⤵PID:4616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD547270b2b04fad838c11e8e95b8ae99d5
SHA111022e59f7e4a5ae1b18c9a598e079ad41b447bf
SHA256724412f9668a929acd59b2d6a32374153fc73d8a9c81a6e4a4255911476f1bdc
SHA5120717880ed09898c9a0c67d9f08aac96c151ff4b2f4a573a2bfc3f23d208595b1c16357c538bff696e83b4d56037a8273c868511fdfab12b28e9525c82a63aeaa
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
145KB
MD53c755aa3c75c28b94bd406e50dfadc77
SHA139a8a1383d4292bab9878113999237a4576bc67d
SHA2561517c16d0e83e86e712f736cffbfb0038ca603088fcdfa11cb15175141f87e7d
SHA512825f4f84edd5e3b901033b1d57d9b393d348689ded0cf57ff8a412b542437eb0c966139cf41c748cce4b291510a02d405a27a5ddbed483a1fb2a23a2c1ebdc1e
-
Filesize
160B
MD581a4e6c6fa7b9a1c296450f6b9add683
SHA19ef09d4e1ea37f015b178a9f1b13142e1ec1f750
SHA256e2d62b963f27a08e8baab24db85dc0857b98ae29457fd89e09904617fd136dba
SHA51251c95a5357efde2e0d3c21f6b634e03047efd13d2c5e13570c38c43ac3171e2ca15bc2919f093032f346b0838b695f5ed9f4d479e5205dd90b411516ce04860b
-
Filesize
129B
MD5054ad2ec93d5fff2a89889b36d4beb55
SHA1a253029b0a5a018733ca5fe525acaac02c35cdf1
SHA256656586481fa9f72e729bbc7b69c3708a261962006eecc00134e81fc11e135b42
SHA512c847580179237cdbbadb0b85559267d4737e1e1b3f20bcbec9aa183c8761a10acdce21a558d7d2e1b4d6c5a0ee49d8f75666179340c2de25503d93f0354b4ecb