Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-02-2024 11:40
Behavioral task
behavioral1
Sample
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe
Resource
win7-20231215-en
General
-
Target
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe
-
Size
146KB
-
MD5
93ddced13de907d75d421aff8ce8cde3
-
SHA1
11418c6c3c57ca52c975c2f4e844df24c635f35f
-
SHA256
492ac25608dda01b3f776b46a7631bb8cd91a0ce0168931ec5bb9a846e702e39
-
SHA512
77db1a1cb741c431f224f31cf6edec189c92b53185250f3b186bd6275fc1d09b6668fa593ae3b86db57dcb52bed247c17a747eaf02ced102293f8918a2d4d8f8
-
SSDEEP
3072:v6glyuxE4GsUPnliByocWep+rpfbfiwxmcyF:v6gDBGpvEByocWe2pfbfiwzyF
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
9444.tmppid Process 2132 9444.tmp -
Executes dropped EXE 1 IoCs
Processes:
9444.tmppid Process 2132 9444.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exepid Process 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe9444.tmppid Process 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 2132 9444.tmp -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exepid Process 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
9444.tmppid Process 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp 2132 9444.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeDebugPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: 36 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeImpersonatePrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeIncBasePriorityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeIncreaseQuotaPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: 33 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeManageVolumePrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeProfSingleProcessPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeRestorePrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSystemProfilePrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeTakeOwnershipPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeShutdownPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeDebugPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeBackupPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe Token: SeSecurityPrivilege 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe9444.tmpdescription pid Process procid_target PID 1712 wrote to memory of 2132 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 30 PID 1712 wrote to memory of 2132 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 30 PID 1712 wrote to memory of 2132 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 30 PID 1712 wrote to memory of 2132 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 30 PID 1712 wrote to memory of 2132 1712 2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe 30 PID 2132 wrote to memory of 1360 2132 9444.tmp 31 PID 2132 wrote to memory of 1360 2132 9444.tmp 31 PID 2132 wrote to memory of 1360 2132 9444.tmp 31 PID 2132 wrote to memory of 1360 2132 9444.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\ProgramData\9444.tmp"C:\ProgramData\9444.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9444.tmp >> NUL3⤵PID:1360
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1501⤵PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e183418993f992d54479ee366a2fa6f1
SHA1c7b109a4fe4d6e4c1852b84ea79f746363bf463f
SHA256ab0443bc2f2a4279358cdefea5c7bad67842915df357b3936fa8d33a2653c532
SHA5128ee09deaf3ab9a141b463c2abe511f8767426a9d9253bb5f98d7b690dce7088683d471c241a5dacf84ff2ca194c0a6db51aa553744b2580e93d10f426c94208b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD592a0639ad482ac909572ee79961caace
SHA1c4d23307d48a414df12b008b08f86d9b8951a8bb
SHA256f4f70fb89ce9a3c6ecf30c3155f9e26a1e9f1958dc0a597091570fc6bdbc8187
SHA5121b7527702b82128c9ba13c8c655935e8fc85b5919e708653d4d839fad894943e6526a40bc335b814d2fdaed53605b59acb5b1bfe783662c58375e475e0eee40e
-
Filesize
658B
MD5616a27a1516d0e2c6596bd33f133a2a4
SHA1324dd40d0a9896c2e73ffdcf982b44b4683d155a
SHA25659a9e08e83de790add2307d86381c88ee787506ad6f00112c43c1b62dab7303a
SHA512953f51cf527320ae67c3c3217eab5197c396eba548c20233b5a3bcadf3290e13478d1c1ec46768bbdbd4231e3fdcf7fb72714cb58ad2e88be0debc8ece23ee27
-
Filesize
129B
MD5c852ee9d15c97a9b451abb6dffbc0f74
SHA131118d9faf0d3651987ca4fd3fc424c054e41f27
SHA2562cab046141a647445175d4bcbbbbe3b629faf5166ad215edc4f41a2b86e7e3c8
SHA512e75c7b118a87b52cfaa8f4391e60b3c295680693b3c1c5eaf13ba5b8ce19b932aa09cf47d38f556510b5443825f7a5d590b6e20eb5bf2cf534e6be4cb1415a5f