Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-02-2024 01:47
Behavioral task
behavioral1
Sample
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe
-
Size
146KB
-
MD5
951a7673b6ad24bfcbf086db0873c7f4
-
SHA1
67275f726f320df71bbeed04804571cf9e73eb42
-
SHA256
a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0
-
SHA512
3b358dd9eb8fa2d18fd436351f21d33dfe5e30057edd9df2e242b1520b447c5efcaa964cb6a8024ed2cff6ff6e60c1f751efc1c9fd8e430352e960d820f6ad36
-
SSDEEP
1536:izICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDstorzC23uqOKqpGX+1KBh+QHzT:hqJogYkcSNm9V7D1O9FpN12h+QTT
Malware Config
Extracted
C:\2zAdN8qob.README.txt
Signatures
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
61BF.tmppid process 768 61BF.tmp -
Executes dropped EXE 1 IoCs
Processes:
61BF.tmppid process 768 61BF.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exepid process 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2zAdN8qob.bmp" 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2zAdN8qob.bmp" 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
61BF.tmppid process 768 61BF.tmp -
Modifies Control Panel 2 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2zAdN8qob 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2zAdN8qob\ = "2zAdN8qob" 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob\DefaultIcon 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob\DefaultIcon\ = "C:\\ProgramData\\2zAdN8qob.ico" 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exepid process 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
61BF.tmppid process 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp 768 61BF.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeDebugPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: 36 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeImpersonatePrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeIncBasePriorityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeIncreaseQuotaPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: 33 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeManageVolumePrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeProfSingleProcessPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeRestorePrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSystemProfilePrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeTakeOwnershipPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeShutdownPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeDebugPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeBackupPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe Token: SeSecurityPrivilege 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe61BF.tmpdescription pid process target process PID 2212 wrote to memory of 768 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 61BF.tmp PID 2212 wrote to memory of 768 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 61BF.tmp PID 2212 wrote to memory of 768 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 61BF.tmp PID 2212 wrote to memory of 768 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 61BF.tmp PID 2212 wrote to memory of 768 2212 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe 61BF.tmp PID 768 wrote to memory of 2776 768 61BF.tmp cmd.exe PID 768 wrote to memory of 2776 768 61BF.tmp cmd.exe PID 768 wrote to memory of 2776 768 61BF.tmp cmd.exe PID 768 wrote to memory of 2776 768 61BF.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\ProgramData\61BF.tmp"C:\ProgramData\61BF.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61BF.tmp >> NUL3⤵PID:2776
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e77d37b790e6a4c2e55fec4f46d5c8c1
SHA127ec916543e1dc85f1ba86faa96d927d008d5b96
SHA2561d3db89070d0a40177a107940b78c36de5b82caab7bba1d4f0b1bf6674e39df4
SHA5121cff47b22998e04c6e778b0c84161e1d5e012aa30c8a07be4442471d601beb460820f46ef93b05f07d3130d432228f5d401c5f58cbac09181ca9add8f9bb3517
-
Filesize
989B
MD55ddb821b9f16c355689466bbf403c709
SHA10af9cd9d9dbd3745f0dcd64f07aac19c749884a7
SHA256c3a9f3fd8c57ecc6361b705409279b96b228de99ef056e0dc9b51819746bc8d6
SHA5121da4c9268eba6a19fc136e5d3feb670a8c213f9382c5a202ed4af894da0e2d60e8540aec2785de93428046a39bf6128df36ff8cab8dca30fae693d4beab44c1a
-
Filesize
146KB
MD576f22172160f0960caa3fe841a3183aa
SHA1c730070e40110c58af0453194327c6712740f1b7
SHA25684f040d08fbe8ec75899bf49f980d295767fa606b59bfbde2b4a1217b8db6c41
SHA51260539e8252042b4c1e5823e1a71c3124a0f6b39c5d6c582ef2a5d712d9117a699ed1f264205d72468622963ccab3a8a8c4b99d10fca0c7017762267eac512240
-
Filesize
129B
MD5d953149cebe7b051c1dae623b8db160e
SHA1e6708fed7fbd56dcfb90d639332ed80ee7706b94
SHA25616b6b8dc20f795bef8ccee48ab24685cb69bb2ed2467d89ad7dca2681ffef1c8
SHA512be7f8a24f99f283fc3256558302c1efcdd2897d9addf36001b658d3b4edf74c453d751ce99a019b9fb62e88f4600bf1e17fdccb9ebcdd8aea9daca86a418fb51
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf