415478012f448676e8a262afbcdc76d67763c87fab99d93c3db1612430f0d89d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Size

147KB
MD5

679475b7a73405dd0c3fd038d0b107b8
SHA1

f5c824f8c8c1fe065aead63f8d56a7682eaece36
SHA256

415478012f448676e8a262afbcdc76d67763c87fab99d93c3db1612430f0d89d
SHA512

39d3ca516862b52daa16c7363b8fa41363e3271f6eff812b85140b8de8bb8f30d82cefda12012f1b05cee82e7731b6f70d1b65b241f536d3cc6b22da746b8441
SSDEEP

1536:ezICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDquSYEuwkC7106P7ZqHjuJF6Uyz:FqJogYkcSNm9V7DlScwF75ZqDuCT

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1824	B2BC.tmp

Executes dropped EXE 1 IoCs

pid	Process
1824	B2BC.tmp

Loads dropped DLL 1 IoCs

pid	Process
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1824	B2BC.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp
1824	B2BC.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeDebugPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: 36	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeImpersonatePrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeIncBasePriorityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeIncreaseQuotaPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: 33	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeManageVolumePrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeProfSingleProcessPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeRestorePrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSystemProfilePrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeTakeOwnershipPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeShutdownPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeDebugPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeBackupPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
Token: SeSecurityPrivilege	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1824	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe	30
PID 1284 wrote to memory of 1824	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe	30
PID 1284 wrote to memory of 1824	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe	30
PID 1284 wrote to memory of 1824	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe	30
PID 1284 wrote to memory of 1824	1284	2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe	30
PID 1824 wrote to memory of 2952	1824	B2BC.tmp	31
PID 1824 wrote to memory of 2952	1824	B2BC.tmp	31
PID 1824 wrote to memory of 2952	1824	B2BC.tmp	31
PID 1824 wrote to memory of 2952	1824	B2BC.tmp	31

C:\Users\Admin\AppData\Local\Temp\2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_679475b7a73405dd0c3fd038d0b107b8_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\ProgramData\B2BC.tmp
  "C:\ProgramData\B2BC.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B2BC.tmp >> NUL
    3⤵
    PID:2952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\FFFFFFFFFFF

Filesize
129B

MD5
2e4c3df23619b000a5d555d2e3e8d5d7

SHA1
0e44662dbaf0bfa9ae4a85d53c7d543c09aac81b

SHA256
29017f4c08d0a7b7dbcb4e5b3d05c4d3de73ae6ce8eb73a7994afcae5663105a

SHA512
a53a178dba79deeb962b01fccbb782e8e8352e1e8f95a744736efddf81068d07cc7373e1d16047e03d07d0c8e7d3b2cc3c3dffe7688e4e3573f768b2c4ee3742

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
7e0d3273899cc122ec2a21b6f90cc28f

SHA1
2f00df99b1bad46590b5a1ca876b8d57163fdb21

SHA256
23434d31bf0798c3fb8fa1459637805de51b48d00d8a19de4f00233e7b24f799

SHA512
6438a5581aec84873d00378602ea9ab5bdc83e2754b352be5e3823086def0a5df743c12db0e95e1a8f3668dde400113229bbeb32ac60a16babf14bf2b352316b

Download Submit
C:\Users\Admin\LpNCD6Y5q.README.txt

Filesize
1KB

MD5
9312c93cec7c860dd1a5b64f3bc4c015

SHA1
9b7775eaec5e9ecebb478fc782a93080cffb2c21

SHA256
9ca0843f0fc836986f969e2e5ee11a99094ba4603c655d28b25f283bc71574ab

SHA512
a95c07941b2e4eeb50683bd1c862c7d9f158d69db08711ff097a374ca24e6f5ac67391be372eb4ea47e6a4d3b91409d0f54b81788cb1649fe459e69b8fc51d86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

Filesize
129B

MD5
45a9ec340ffdc043c2e290c1c8c2ef17

SHA1
6590715e74cfe90b02dfddd629023328d3ebd590

SHA256
ecbdf400405c3c556acd8c9e9408fa95ef762bd33cd869fb64a6e468c8699c6e

SHA512
35e6cf914eab4d30e154925911b4a656467b77ce6e21d64ca1158b95df54b7b1b646eb59c5c5ea62217e98f8a2bb6ad7a81f2b2d626af2cd5380c9a1749c0995

Download Submit
\ProgramData\B2BC.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1284-0-0x0000000000130000-0x0000000000170000-memory.dmp

Filesize
256KB

Download
memory/1824-285-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1824-287-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/1824-315-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1824-316-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1824-317-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1824-318-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download