Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 15:14
Behavioral task
behavioral1
Sample
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe
Resource
win7-20240221-en
General
-
Target
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe
-
Size
146KB
-
MD5
b68bf58ebf923d66ba30f4c892ff59d5
-
SHA1
3cb43567b90fd56edf0123cea2f46cc1b1290a83
-
SHA256
c0afa7d1d390d4d6310be70c31a01fb668521fb33a2b3239e41f3e8231451eac
-
SHA512
50eca65bde5718004694a33460ee5895b7fc9ce1679387399de739772982f93b07d28c939f314bc6edf22a7ee9f0391424dc92062af8c19eaf4349593ab45d50
-
SSDEEP
3072:96glyuxE4GsUPnliByocWep/7pwO8OlP6:96gDBGpvEByocWehPTy
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
2F89.tmppid process 460 2F89.tmp -
Executes dropped EXE 1 IoCs
Processes:
2F89.tmppid process 460 2F89.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exepid process 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe2F89.tmppid process 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 460 2F89.tmp -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exepid process 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
2F89.tmppid process 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp 460 2F89.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeDebugPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: 36 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeImpersonatePrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeIncBasePriorityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeIncreaseQuotaPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: 33 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeManageVolumePrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeProfSingleProcessPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeRestorePrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSystemProfilePrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeTakeOwnershipPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeShutdownPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeDebugPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe2F89.tmpdescription pid process target process PID 2948 wrote to memory of 460 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2F89.tmp PID 2948 wrote to memory of 460 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2F89.tmp PID 2948 wrote to memory of 460 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2F89.tmp PID 2948 wrote to memory of 460 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2F89.tmp PID 2948 wrote to memory of 460 2948 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 2F89.tmp PID 460 wrote to memory of 1144 460 2F89.tmp cmd.exe PID 460 wrote to memory of 1144 460 2F89.tmp cmd.exe PID 460 wrote to memory of 1144 460 2F89.tmp cmd.exe PID 460 wrote to memory of 1144 460 2F89.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\ProgramData\2F89.tmp"C:\ProgramData\2F89.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2F89.tmp >> NUL3⤵PID:1144
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c1e4e7609e7f2744a8d9a79f7aa7ecac
SHA1b0338d8cf096b0d5a38af6b89980622f4eec9c3c
SHA25678c2fce0fbfb5d72ac6e3d4e60023e58d205b28f09ee7a4bb070fbd77440425c
SHA51237bd2373d3203cfd63a0ee3c03052fe1a2955ab144e9718b370e3139235282ccbe03fd89763fc3f602799c82dd006f0bd30534660858e5078d3df04b4d6e6deb
-
Filesize
732B
MD53c30a01742ea1df843789b45788be189
SHA1fccfb826237ba1d9bf28c938837b76522b864532
SHA256d3ac4e88de00362317d3aff94930598ef32d3da8d67eebbf03f01d19fd297876
SHA512b0bc1a90f83813d4b9c8ee01b5c718381bfef2675140602753a24c033fa3b352e68a556988d4bc3d718d08a1564245bd634f26e96095e94c1605a9213d570a2f
-
Filesize
146KB
MD561e9031bde6efcb02a2e65f3eb99a4f5
SHA1c64db47e6023937a840826132486966e5f34c8e4
SHA2560c10eee03498c0e008b1a5471638e5d81da2051cc896b0ce8cae74f99284fbc6
SHA5120eb4ed73e5ef3cd0a765f82cbcc8d5410313bbab4aa6ff62950c95d4e507723b5d8b026f748c28bee6203f8f054d09f1ac6171f4dd96493c18bdc63d6c8b5235
-
Filesize
129B
MD5dd4975b2727eb600065d326ea4320c84
SHA1ab8f89c06026fb1894260212da8f5e249338d6a3
SHA256a2c64a45622e2b489b8b9870ee68e0bac77f5eb34e81fcdc513343a7f2cfd724
SHA512d9364e05f6708a409c4da3b2e0007826cb22df8b41ad98cc8ca1253a4f4800a5865b7f7cf0e68527ca75ae93170cd304ef794fa1cbc69b112212068f709b134c
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf