Analysis

  • max time kernel
    121s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2024 15:14

General

  • Target

    2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe

  • Size

    146KB

  • MD5

    b68bf58ebf923d66ba30f4c892ff59d5

  • SHA1

    3cb43567b90fd56edf0123cea2f46cc1b1290a83

  • SHA256

    c0afa7d1d390d4d6310be70c31a01fb668521fb33a2b3239e41f3e8231451eac

  • SHA512

    50eca65bde5718004694a33460ee5895b7fc9ce1679387399de739772982f93b07d28c939f314bc6edf22a7ee9f0391424dc92062af8c19eaf4349593ab45d50

  • SSDEEP

    3072:96glyuxE4GsUPnliByocWep/7pwO8OlP6:96gDBGpvEByocWehPTy

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\ProgramData\2F89.tmp
      "C:\ProgramData\2F89.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2F89.tmp >> NUL
        3⤵
          PID:1144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini

      Filesize

      129B

      MD5

      c1e4e7609e7f2744a8d9a79f7aa7ecac

      SHA1

      b0338d8cf096b0d5a38af6b89980622f4eec9c3c

      SHA256

      78c2fce0fbfb5d72ac6e3d4e60023e58d205b28f09ee7a4bb070fbd77440425c

      SHA512

      37bd2373d3203cfd63a0ee3c03052fe1a2955ab144e9718b370e3139235282ccbe03fd89763fc3f602799c82dd006f0bd30534660858e5078d3df04b4d6e6deb

    • C:\PD9tZdd3p.README.txt

      Filesize

      732B

      MD5

      3c30a01742ea1df843789b45788be189

      SHA1

      fccfb826237ba1d9bf28c938837b76522b864532

      SHA256

      d3ac4e88de00362317d3aff94930598ef32d3da8d67eebbf03f01d19fd297876

      SHA512

      b0bc1a90f83813d4b9c8ee01b5c718381bfef2675140602753a24c033fa3b352e68a556988d4bc3d718d08a1564245bd634f26e96095e94c1605a9213d570a2f

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      146KB

      MD5

      61e9031bde6efcb02a2e65f3eb99a4f5

      SHA1

      c64db47e6023937a840826132486966e5f34c8e4

      SHA256

      0c10eee03498c0e008b1a5471638e5d81da2051cc896b0ce8cae74f99284fbc6

      SHA512

      0eb4ed73e5ef3cd0a765f82cbcc8d5410313bbab4aa6ff62950c95d4e507723b5d8b026f748c28bee6203f8f054d09f1ac6171f4dd96493c18bdc63d6c8b5235

    • F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\BBBBBBBBBBB

      Filesize

      129B

      MD5

      dd4975b2727eb600065d326ea4320c84

      SHA1

      ab8f89c06026fb1894260212da8f5e249338d6a3

      SHA256

      a2c64a45622e2b489b8b9870ee68e0bac77f5eb34e81fcdc513343a7f2cfd724

      SHA512

      d9364e05f6708a409c4da3b2e0007826cb22df8b41ad98cc8ca1253a4f4800a5865b7f7cf0e68527ca75ae93170cd304ef794fa1cbc69b112212068f709b134c

    • \ProgramData\2F89.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/460-851-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/460-852-0x0000000002210000-0x0000000002250000-memory.dmp

      Filesize

      256KB

    • memory/460-856-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/460-858-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/460-883-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/460-884-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/2948-0-0x00000000001A0000-0x00000000001E0000-memory.dmp

      Filesize

      256KB