Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15-02-2024 12:23
Behavioral task
behavioral1
Sample
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
-
Size
147KB
-
MD5
2dadaf10d507b44e7b561405d9227bc2
-
SHA1
5406d642422ca05857447ad82979d6d44c326834
-
SHA256
6dd44d852226fd9e7fc914c6edbaf185bfcaacdc7a4dcdb7268440e6fc811618
-
SHA512
0cbd90e6bc68e1052ecc22f90c9e3fbfccc796029e7ef9258f4d5f1b29dfe26c0a0f799b5a406a097c32e1beb27e3c1fdbd65ca67615d1e37f265874ddac2f11
-
SSDEEP
3072:G6glyuxE4GsUPnliByocWepHLamgTCsUd3Mh:G6gDBGpvEByocWeFLamg+NM
Malware Config
Extracted
C:\G3fEAZsSH.README.txt
Signatures
-
Renames multiple (348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
CC83.tmppid Process 1544 CC83.tmp -
Executes dropped EXE 1 IoCs
Processes:
CC83.tmppid Process 1544 CC83.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exepid Process 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\G3fEAZsSH.bmp" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\G3fEAZsSH.bmp" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exeCC83.tmppid Process 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 1544 CC83.tmp -
Modifies Control Panel 2 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH\ = "G3fEAZsSH" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon\ = "C:\\ProgramData\\G3fEAZsSH.ico" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exepid Process 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
CC83.tmppid Process 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp 1544 CC83.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeDebugPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: 36 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeImpersonatePrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeIncBasePriorityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeIncreaseQuotaPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: 33 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeManageVolumePrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeProfSingleProcessPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeRestorePrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSystemProfilePrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeTakeOwnershipPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeShutdownPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeDebugPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exeCC83.tmpdescription pid Process procid_target PID 2224 wrote to memory of 1544 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 30 PID 2224 wrote to memory of 1544 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 30 PID 2224 wrote to memory of 1544 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 30 PID 2224 wrote to memory of 1544 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 30 PID 2224 wrote to memory of 1544 2224 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 30 PID 1544 wrote to memory of 1948 1544 CC83.tmp 31 PID 1544 wrote to memory of 1948 1544 CC83.tmp 31 PID 1544 wrote to memory of 1948 1544 CC83.tmp 31 PID 1544 wrote to memory of 1948 1544 CC83.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\ProgramData\CC83.tmp"C:\ProgramData\CC83.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC83.tmp >> NUL3⤵PID:1948
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ba71b40da11cc3ebeebd5b611acc7ff1
SHA1399a7221270a4e8677ff8a7e6dcf934a5de46d1a
SHA256ece17e575a0d1c1b5747b4a44d87b47b254c52eda699db70a5602156e89a0f9a
SHA512bf65b44c0283d79678e63998877f76476657e10fef9a7471201eda7dd595074371acecabdb8fef36a52c018fb3af9f71938def7442c46d08dfa55f3abb4e44e3
-
Filesize
1KB
MD5c27b4229efac6671942d30719e33225d
SHA1dfc06ec8ae7e1047aedc4e9f8f0c9e83ad69c507
SHA256ccb3796c65736cbb0e28cedc370b210f27dff6877cfb8cec85e75f151b48b630
SHA5125cf85171e683a5982930b047dbfe3278d896b2f146863668620a990003e3467313006fc3e7a139d84f02537a11b42571b7dc958465df8b8caad2091174f992a0
-
Filesize
147KB
MD5f5136a84e0a9db7d29d498e4b6e64703
SHA178f8f6d8bf46d0b645c3f921a08ec77cd7a3093a
SHA2562f925c0c719b010b7fd664c38da1881219c8ba1ab05ae800c4bf95253e864761
SHA512552298994e6738e02a798c725a6e630b91bb7b8983210417d6c336e0bf54093da18588f8501a4c402971b4aa7aac6017530b2b5b788786853bc5fc8fcfca32d1
-
Filesize
129B
MD5cc3a9142ca5235eb0f346e41857971a7
SHA145bc87b30bcde054e3c2564d4efdb49e235e4f01
SHA25634193d45fc08159f577231235e09a9ccd3aae221875f9fdd186529d15cd7a8cf
SHA51210becb2cd70305dea3d121cb1ab4b4efe332d3827cce60fbbfb06bfd675bc762bb9ce4ee20675147411edcd2f8b380133c3b70a40ae12d9e37d20e7940e86b3e
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf