Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 11:25
Behavioral task
behavioral1
Sample
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe
Resource
win7-20240221-en
General
-
Target
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe
-
Size
146KB
-
MD5
0f9efaba9a13338ad97e0e6ef2aabd6d
-
SHA1
97db912c8f0055152837e424cd8764f905a29930
-
SHA256
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0
-
SHA512
c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a
-
SSDEEP
3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
2E32.tmppid Process 1996 2E32.tmp -
Executes dropped EXE 1 IoCs
Processes:
2E32.tmppid Process 1996 2E32.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exepid Process 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe2E32.tmppid Process 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1996 2E32.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon\ = "C:\\ProgramData\\hokwnrPwS.ico" 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS\ = "hokwnrPwS" 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exepid Process 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
2E32.tmppid Process 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp 1996 2E32.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeDebugPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: 36 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeImpersonatePrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeIncBasePriorityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeIncreaseQuotaPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: 33 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeManageVolumePrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeProfSingleProcessPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeRestorePrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSystemProfilePrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeTakeOwnershipPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeShutdownPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeDebugPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe2E32.tmpdescription pid Process procid_target PID 1924 wrote to memory of 1996 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 30 PID 1924 wrote to memory of 1996 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 30 PID 1924 wrote to memory of 1996 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 30 PID 1924 wrote to memory of 1996 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 30 PID 1924 wrote to memory of 1996 1924 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 30 PID 1996 wrote to memory of 1420 1996 2E32.tmp 31 PID 1996 wrote to memory of 1420 1996 2E32.tmp 31 PID 1996 wrote to memory of 1420 1996 2E32.tmp 31 PID 1996 wrote to memory of 1420 1996 2E32.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\ProgramData\2E32.tmp"C:\ProgramData\2E32.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2E32.tmp >> NUL3⤵PID:1420
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a618a3169c224d2953695f3505090c2c
SHA1fbc8b895ab5061dfca05379519f708ad519035d7
SHA2568829c6ed918b67607b7f5c720813ccdf222b13c82b16b9c084d37164e042d2e3
SHA512c690d2755d83a3e79b6c187e6a94cb9378e6e8c4a6ab2c517eb0171d323639bd568ec59c02c5673a3ccd7ad0ce95bae3e9a62520298f75112887e9099c55ea86
-
Filesize
146KB
MD52be4143e87ff3eb34492fc49e94f697b
SHA185ad7f6279171d85e3ee88f64a47bb3f5a2f0585
SHA25649a17a28e458de0ce4d1360010bb8c82939385fce96535fbbf51cb4f97e4181e
SHA512685db66a7e8923b8b146b55bf95d012df349c2f99ef1e474b94bdd4cfac002d738a13761e85ef240302e1d481bc89d9b51998547e8a400ec8b711ebf7a444b31
-
Filesize
865B
MD580ce254bf1170938cb7d41f5a98bf0ad
SHA1f8eb2e6395f16c206d32d5fefccd4f7419324bc9
SHA25636b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea
SHA512d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7
-
Filesize
129B
MD5220cb1fd81d1ea73136cedc8e9575ac2
SHA1084ad800f076ffd115db31d885a7b84a4c6e68e8
SHA256326160f8905e5125eaaa006e60a58b76203e72e1beb44f860bbb679e6a4df412
SHA512c3bba2e586bf56a38cfb76db58f00646e21e5cdf1c9f282adf7bf160166ea50b1e2288a701d4e87f233c4cf30968909a40f4c9b3e0716445852cd88320ecf9ec
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf