Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2024 11:40

General

  • Target

    2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe

  • Size

    146KB

  • MD5

    93ddced13de907d75d421aff8ce8cde3

  • SHA1

    11418c6c3c57ca52c975c2f4e844df24c635f35f

  • SHA256

    492ac25608dda01b3f776b46a7631bb8cd91a0ce0168931ec5bb9a846e702e39

  • SHA512

    77db1a1cb741c431f224f31cf6edec189c92b53185250f3b186bd6275fc1d09b6668fa593ae3b86db57dcb52bed247c17a747eaf02ced102293f8918a2d4d8f8

  • SSDEEP

    3072:v6glyuxE4GsUPnliByocWep+rpfbfiwxmcyF:v6gDBGpvEByocWe2pfbfiwzyF

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-17_93ddced13de907d75d421aff8ce8cde3_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\ProgramData\9444.tmp
      "C:\ProgramData\9444.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9444.tmp >> NUL
        3⤵
          PID:1360
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x150
      1⤵
        PID:1728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini

        Filesize

        129B

        MD5

        e183418993f992d54479ee366a2fa6f1

        SHA1

        c7b109a4fe4d6e4c1852b84ea79f746363bf463f

        SHA256

        ab0443bc2f2a4279358cdefea5c7bad67842915df357b3936fa8d33a2653c532

        SHA512

        8ee09deaf3ab9a141b463c2abe511f8767426a9d9253bb5f98d7b690dce7088683d471c241a5dacf84ff2ca194c0a6db51aa553744b2580e93d10f426c94208b

      • C:\ProgramData\9444.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        92a0639ad482ac909572ee79961caace

        SHA1

        c4d23307d48a414df12b008b08f86d9b8951a8bb

        SHA256

        f4f70fb89ce9a3c6ecf30c3155f9e26a1e9f1958dc0a597091570fc6bdbc8187

        SHA512

        1b7527702b82128c9ba13c8c655935e8fc85b5919e708653d4d839fad894943e6526a40bc335b814d2fdaed53605b59acb5b1bfe783662c58375e475e0eee40e

      • C:\xy5yyVMdq.README.txt

        Filesize

        658B

        MD5

        616a27a1516d0e2c6596bd33f133a2a4

        SHA1

        324dd40d0a9896c2e73ffdcf982b44b4683d155a

        SHA256

        59a9e08e83de790add2307d86381c88ee787506ad6f00112c43c1b62dab7303a

        SHA512

        953f51cf527320ae67c3c3217eab5197c396eba548c20233b5a3bcadf3290e13478d1c1ec46768bbdbd4231e3fdcf7fb72714cb58ad2e88be0debc8ece23ee27

      • F:\$RECYCLE.BIN\S-1-5-21-452311807-3713411997-1028535425-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        c852ee9d15c97a9b451abb6dffbc0f74

        SHA1

        31118d9faf0d3651987ca4fd3fc424c054e41f27

        SHA256

        2cab046141a647445175d4bcbbbbe3b629faf5166ad215edc4f41a2b86e7e3c8

        SHA512

        e75c7b118a87b52cfaa8f4391e60b3c295680693b3c1c5eaf13ba5b8ce19b932aa09cf47d38f556510b5443825f7a5d590b6e20eb5bf2cf534e6be4cb1415a5f

      • memory/1712-0-0x0000000002530000-0x0000000002570000-memory.dmp

        Filesize

        256KB

      • memory/2132-858-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/2132-859-0x00000000020B0000-0x00000000020F0000-memory.dmp

        Filesize

        256KB

      • memory/2132-862-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/2132-863-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/2132-890-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/2132-891-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB