Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 00:33
Behavioral task
behavioral1
Sample
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe
-
Size
194KB
-
MD5
34ad9c2c499594153ddb8ad088cf515e
-
SHA1
458e5d8b8b707afb3fff1ad5a9f31aa08c34bf2b
-
SHA256
63a4561804b90ef42862b49e86a23ff1490830f42c17189963a0dc4a0fadf1c5
-
SHA512
7b97052bc11232035db0aa635405ee4a4abdb69d349d0aedea09395dd38857e6e5b5d47b9db654d4b538eaf49dd7fab9a65633e36381e389fc3b5a037008cf29
-
SSDEEP
3072:t6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:t6gDBGpvEByocWeQwLAPm
Malware Config
Signatures
-
Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
BA0C.tmppid process 1628 BA0C.tmp -
Executes dropped EXE 1 IoCs
Processes:
BA0C.tmppid process 1628 BA0C.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exepid process 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kZd6jLIwz.bmp" 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kZd6jLIwz.bmp" 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exeBA0C.tmppid process 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 1628 BA0C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon\ = "C:\\ProgramData\\kZd6jLIwz.ico" 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz\ = "kZd6jLIwz" 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exepid process 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
BA0C.tmppid process 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp 1628 BA0C.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeDebugPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: 36 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeImpersonatePrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeIncBasePriorityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeIncreaseQuotaPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: 33 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeManageVolumePrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeProfSingleProcessPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeRestorePrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSystemProfilePrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeTakeOwnershipPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeShutdownPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeDebugPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeBackupPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe Token: SeSecurityPrivilege 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exeBA0C.tmpdescription pid process target process PID 2764 wrote to memory of 1628 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe BA0C.tmp PID 2764 wrote to memory of 1628 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe BA0C.tmp PID 2764 wrote to memory of 1628 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe BA0C.tmp PID 2764 wrote to memory of 1628 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe BA0C.tmp PID 2764 wrote to memory of 1628 2764 2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe BA0C.tmp PID 1628 wrote to memory of 2728 1628 BA0C.tmp cmd.exe PID 1628 wrote to memory of 2728 1628 BA0C.tmp cmd.exe PID 1628 wrote to memory of 2728 1628 BA0C.tmp cmd.exe PID 1628 wrote to memory of 2728 1628 BA0C.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-26_34ad9c2c499594153ddb8ad088cf515e_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\ProgramData\BA0C.tmp"C:\ProgramData\BA0C.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BA0C.tmp >> NUL3⤵PID:2728
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.iniFilesize
129B
MD5b234293e4885020733443345d746720d
SHA1cffdff13ff349d511fd13eba583217bf63ab349c
SHA2560a510f24d15cc9aed38bc3ce399343e3851a610475445ac3a582a3e7fd3e7e05
SHA5121520642d14360291e65a1eca55164f2b4167e46770e5aa63cf9f26772cd2a59f7c30e932248ff60c19ac1fc7a062a371158877ac9b35666c08af621f72fc0784
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDFilesize
194KB
MD517889109b6d11423786c2f7be1a03d35
SHA1a1b018dc711fdcab0f5e77ef43da0940a168fabd
SHA256ce3c8df49e5d746aa35099cf9a0b605a9c6f8926687f55b4bf533f4abcdf93f7
SHA5120c8ff51f287defd0680d2b994b3022f151bd8717542303c3359815c5770e5e7d18184c5e8c90eb733d024629d0862396b066d97d69a1a32ea6744e6aca1e6f78
-
C:\kZd6jLIwz.README.txtFilesize
449B
MD5c2f46db865b0ba6ef8f9385cf458a56e
SHA10b2f94fcf38ef15f59bb86a3296b7da514b4ac4e
SHA256c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe
SHA5129927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39
-
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\HHHHHHHHHHHFilesize
129B
MD5b9e8fca0ca2e792d6a7facc2ddbb1b17
SHA18c92f1213681427a46654c89b10da243b8d59e62
SHA256078800231e50238d6a1be65f08fc59a46dff64327344e12c258bb4caaea6ead0
SHA512db4c7e0c86a2a07968786cac01b9e2e79ea5d57329b577393c96edba9e7ce6f892d977a3efcb7ffe2d15915a7c2824024617bb2384d41172379d592b849de461
-
\ProgramData\BA0C.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/1628-863-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/1628-864-0x00000000023C0000-0x0000000002400000-memory.dmpFilesize
256KB
-
memory/1628-866-0x000000007EF80000-0x000000007EF81000-memory.dmpFilesize
4KB
-
memory/1628-868-0x000000007EF20000-0x000000007EF21000-memory.dmpFilesize
4KB
-
memory/1628-895-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1628-896-0x000000007EF60000-0x000000007EF61000-memory.dmpFilesize
4KB
-
memory/2764-0-0x00000000023D0000-0x0000000002410000-memory.dmpFilesize
256KB