Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 17:33
Behavioral task
behavioral1
Sample
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
-
Size
147KB
-
MD5
66b3e535355102fd0cede6506739e474
-
SHA1
5a20c4d8bbb2495c817c92cfa060a6a235e6ed36
-
SHA256
9b3cd385077933c2a72cba58d23dcde77852818c3ce1a361baa5c6bbd915b82f
-
SHA512
f11bd1ed1f2f601ed5db353ff2f85982b3218e3a60f6d58c8f5f5a23df7560fce8fd67da37fe7ef6bc31de2883eb17c2389a1195820968562740a0e46c1569e6
-
SSDEEP
3072:T6glyuxE4GsUPnliByocWepjUeRBGYENO6g:T6gDBGpvEByocWexUeR0Y2N
Malware Config
Extracted
C:\NupqqeiS5.README.txt
Signatures
-
Renames multiple (329) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
93C7.tmppid process 2468 93C7.tmp -
Executes dropped EXE 1 IoCs
Processes:
93C7.tmppid process 2468 93C7.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exepid process 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NupqqeiS5.bmp" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NupqqeiS5.bmp" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe93C7.tmppid process 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2468 93C7.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5\ = "NupqqeiS5" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon\ = "C:\\ProgramData\\NupqqeiS5.ico" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exepid process 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
93C7.tmppid process 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp 2468 93C7.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeDebugPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: 36 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeImpersonatePrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeIncBasePriorityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeIncreaseQuotaPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: 33 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeManageVolumePrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeProfSingleProcessPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeRestorePrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSystemProfilePrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeTakeOwnershipPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeShutdownPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeDebugPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe93C7.tmpdescription pid process target process PID 2020 wrote to memory of 2468 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 93C7.tmp PID 2020 wrote to memory of 2468 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 93C7.tmp PID 2020 wrote to memory of 2468 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 93C7.tmp PID 2020 wrote to memory of 2468 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 93C7.tmp PID 2020 wrote to memory of 2468 2020 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 93C7.tmp PID 2468 wrote to memory of 2300 2468 93C7.tmp cmd.exe PID 2468 wrote to memory of 2300 2468 93C7.tmp cmd.exe PID 2468 wrote to memory of 2300 2468 93C7.tmp cmd.exe PID 2468 wrote to memory of 2300 2468 93C7.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\ProgramData\93C7.tmp"C:\ProgramData\93C7.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\93C7.tmp >> NUL3⤵PID:2300
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD55b8bfc098813cddf9d7312fc296ecd0d
SHA1503a450b3cd5ba3ff097caa9321b6a802dc1766d
SHA256b5a57ad3dd2deeba4b74508c7ca1ba5f3cb30af77074e1153d212987192f812e
SHA51226d95876f134b091533b165af8d89abfa1ff51da73e06d30ab59ac32bd002bdd26ac45b6fe7b4447eaf7802fc8e246c8cddab860a4842006f7b05150a3b8b99f
-
Filesize
1KB
MD5fb07c785132ffb451b7865b5f8be8793
SHA16ef563addf7aa1bc0a99b70a621bd7ba430a9412
SHA256369475944802faa69d76362094571070a549f9153e29cf5d54e5fd34e36ca0bd
SHA51292f1dadc9de8a3dd1aee9b5310b66ca9d98b26e587cf298e8967995fb2974a842c57e4c1d3458575a1890997cb62151ebbfce679c520f9868ec2d6ffa022f8fc
-
Filesize
147KB
MD50ac760eb9419f5001c93c95015e08d96
SHA15f117ad05fbd7dac06dd979cce7ed7d559981dc5
SHA256144c21c3975cd13d5888f316f074a082af4556373cb90556f031dddc294056cc
SHA51213d660b3f5ad4ab143cd10d93cdcbb8c3608cedbff2f9ef716db112d3aa32ebced57063f3c88dd5ef59e58826ef50f9fbb39dee9c628ceb84b228d8498e94025
-
Filesize
129B
MD558c95e73a02df8cfe7d7741f5e1cf751
SHA1c33200ec051bbc3e044409f39ae9ec55a95887a3
SHA2563048571e5ca3aa8b573b43eb404a45a0e465dc7342ee8340858d102a02523026
SHA51280f0d0ff97db6e5b72fae648935974154169ebfca516510faeea90ce4a0132d35bdfe315101ca7a48a0d27048124e47509978001769b36b552719926a74c32d5
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf