Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2024 11:55

General

  • Target

    2024-02-15_e18ad7e7c1f3b86250beb3deabe9ce03_darkside.exe

  • Size

    146KB

  • MD5

    e18ad7e7c1f3b86250beb3deabe9ce03

  • SHA1

    2e30f346324ab4dd95daa113165587fb6b9e817a

  • SHA256

    71895d170c7578dc8d5dba7e3136e514d8c42f502e5dc88aff532f11dac01f32

  • SHA512

    1d8f34afcb45ebbecfb9b07dc395ddabecbd9060c59bcf817386d52a37484d77b09ab818ab1c941df7b9b504c3cab1e962e88709d6c6aeb9cbc37ee5f1d2aebd

  • SSDEEP

    1536:5zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDiaaL+6VfaU1QezJDX5EHRBiZ1B:CqJogYkcSNm9V7DnefaU1QwJ5CR29T

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-15_e18ad7e7c1f3b86250beb3deabe9ce03_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-15_e18ad7e7c1f3b86250beb3deabe9ce03_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\ProgramData\61BF.tmp
      "C:\ProgramData\61BF.tmp"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2016
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x150
    1⤵
      PID:2904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\YYYYYYYYYYY

      Filesize

      129B

      MD5

      2ed9845628548ba4356ee8be47eba58d

      SHA1

      3c3f971eecc000bf69b327d13c4c44a06c911555

      SHA256

      aacbfa11b724f277f32186cec3464c1b1be2a8414daa3c14616728db0c521812

      SHA512

      be619ad5c2176c58b59c202889af4943bc214d7bb480fe1da7377ee8234b2e264a2e81fe3ad1c8aa3648e2e2a4c5375465c0a32ed0d064f10c8dddcd98e27cea

    • C:\aPj8kPbya.README.txt

      Filesize

      401B

      MD5

      a4a44c115f77fb6a8b86ce357845c504

      SHA1

      5346db5cc94ffe243fce3ccbd74879580c9e49bf

      SHA256

      8ee6de1ebdc07b5c71483aac95b9deb667b0413c8c30a902e74df99a6bbe1eeb

      SHA512

      af02e93763b99d2b5e88580e0fec04ce02e7b88c76c40baf468ae60e57935fee4f38b28ea3660661ae80207ddf1a73e636d0567edc827c842d782627b39b18b2

    • F:\$RECYCLE.BIN\S-1-5-21-2444714103-3190537498-3629098939-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      6379cafa14363f572884fc5c83d89c3e

      SHA1

      0f35d6f715834ee63fa39315b34763c60a4ec2d6

      SHA256

      a10cc0de7bfc4b8f019400681d52ad4ab7f76c6c36b860d2e3477ea94c817a45

      SHA512

      fe132b65c37a1f64e97de437b58e7bf3bfa960bc2d6516c77599b732ba71da2eb4e6f38590b1004b12d6753c10a6603f45b3802675195c39dcc70ae0148a661c

    • \ProgramData\61BF.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/1812-0-0x0000000000DD0000-0x0000000000E10000-memory.dmp

      Filesize

      256KB

    • memory/2016-849-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/2016-850-0x0000000002130000-0x0000000002170000-memory.dmp

      Filesize

      256KB

    • memory/2016-851-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/2016-852-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/2016-853-0x0000000002130000-0x0000000002170000-memory.dmp

      Filesize

      256KB