Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 11:25

General

  • Target

    2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe

  • Size

    146KB

  • MD5

    0f9efaba9a13338ad97e0e6ef2aabd6d

  • SHA1

    97db912c8f0055152837e424cd8764f905a29930

  • SHA256

    d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0

  • SHA512

    c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a

  • SSDEEP

    3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\ProgramData\2E32.tmp
      "C:\ProgramData\2E32.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2E32.tmp >> NUL
        3⤵
          PID:1420
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x148
      1⤵
        PID:2600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

        Filesize

        129B

        MD5

        a618a3169c224d2953695f3505090c2c

        SHA1

        fbc8b895ab5061dfca05379519f708ad519035d7

        SHA256

        8829c6ed918b67607b7f5c720813ccdf222b13c82b16b9c084d37164e042d2e3

        SHA512

        c690d2755d83a3e79b6c187e6a94cb9378e6e8c4a6ab2c517eb0171d323639bd568ec59c02c5673a3ccd7ad0ce95bae3e9a62520298f75112887e9099c55ea86

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        2be4143e87ff3eb34492fc49e94f697b

        SHA1

        85ad7f6279171d85e3ee88f64a47bb3f5a2f0585

        SHA256

        49a17a28e458de0ce4d1360010bb8c82939385fce96535fbbf51cb4f97e4181e

        SHA512

        685db66a7e8923b8b146b55bf95d012df349c2f99ef1e474b94bdd4cfac002d738a13761e85ef240302e1d481bc89d9b51998547e8a400ec8b711ebf7a444b31

      • C:\hokwnrPwS.README.txt

        Filesize

        865B

        MD5

        80ce254bf1170938cb7d41f5a98bf0ad

        SHA1

        f8eb2e6395f16c206d32d5fefccd4f7419324bc9

        SHA256

        36b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea

        SHA512

        d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        220cb1fd81d1ea73136cedc8e9575ac2

        SHA1

        084ad800f076ffd115db31d885a7b84a4c6e68e8

        SHA256

        326160f8905e5125eaaa006e60a58b76203e72e1beb44f860bbb679e6a4df412

        SHA512

        c3bba2e586bf56a38cfb76db58f00646e21e5cdf1c9f282adf7bf160166ea50b1e2288a701d4e87f233c4cf30968909a40f4c9b3e0716445852cd88320ecf9ec

      • \ProgramData\2E32.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1924-0-0x00000000001B0000-0x00000000001F0000-memory.dmp

        Filesize

        256KB

      • memory/1996-876-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1996-875-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1996-874-0x0000000002090000-0x00000000020D0000-memory.dmp

        Filesize

        256KB

      • memory/1996-873-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1996-906-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/1996-905-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB