Analysis

  • max time kernel
    142s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 11:25

General

  • Target

    2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe

  • Size

    146KB

  • MD5

    0f9efaba9a13338ad97e0e6ef2aabd6d

  • SHA1

    97db912c8f0055152837e424cd8764f905a29930

  • SHA256

    d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0

  • SHA512

    c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a

  • SSDEEP

    3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:224
    • C:\ProgramData\E1FF.tmp
      "C:\ProgramData\E1FF.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E1FF.tmp >> NUL
        3⤵
          PID:1748
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4928
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:696
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
          1⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C848788D-A8C1-49B9-8883-9E633DD4FA4D}.xps" 133619740084120000
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of SetWindowsHookEx
            PID:2588

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini

          Filesize

          129B

          MD5

          6a8677aaa5001baf4577b88f6d32cf6a

          SHA1

          d8f0a1c503ae5af987b15ce249382e5c57921de3

          SHA256

          04607838cd69e90a942b2ae46e0761587f71aeab9332f86e6a05ec68c29cba77

          SHA512

          8163fd0c842e1bc182ff92a1b6de3604c9365bef8be87de9c2a01d59c0704ab7c605a4a0c00e869a9dbbbb5ee70de16f8e0976365438a7ea56a3ef4dee0cff1d

        • C:\ProgramData\E1FF.tmp

          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

          Filesize

          146KB

          MD5

          2685b34f7afa8fa9371bf4a3261a38f9

          SHA1

          169dcd1f246e867fd8c411551cd9046263f39561

          SHA256

          703e3cdf5762ff12b7fec10d86ce0315922c4e6d41c31634d82a47e4e010ea2e

          SHA512

          47b3876fa0091a045ba9c28cbc194d828aee18c46c8ce6350748d0aac34d2c5e0d3173611c9946ed4bb6463740a0ed79662d805569bbf7a9e743ee2c13b67453

        • C:\Users\Admin\AppData\Local\Temp\{677253EE-8D30-4600-AC1C-AA7D70495884}

          Filesize

          4KB

          MD5

          4e5155d688c69ed027047e2ebaa820c7

          SHA1

          14ef45b4e0db99b695122607c6ec7636ee953e00

          SHA256

          9aa55ce1e16e02ce26f3c2fee0a6a89660ef275f32ec00d23004d6aa7eaba251

          SHA512

          c3bd636d6a50b3aef17607491b95a673c0fa6e36efadec4494ba0c4e5d7792082b8ee79680809b00ea8a85d752c832ff08ae5ec08402ba8afc758db07f4116b5

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

          Filesize

          4KB

          MD5

          418f776359a78be1efec7bc9dd2d0e21

          SHA1

          eac2e7ce4f64bfb329000e090484eaf561391896

          SHA256

          afd65ad983a99ef2912d5f36f06c246707a37fbbbb00732c36e5d9ee82ad1352

          SHA512

          cf24cccbf53c8b207691c3551bbb4a7991394ea1f5db3f92caca9d009bab1522a7aaa79fab3b69f78113d414cf912efb1448aabe3877f1254242a7296693d26a

        • C:\hokwnrPwS.README.txt

          Filesize

          865B

          MD5

          80ce254bf1170938cb7d41f5a98bf0ad

          SHA1

          f8eb2e6395f16c206d32d5fefccd4f7419324bc9

          SHA256

          36b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea

          SHA512

          d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD

          Filesize

          129B

          MD5

          4a7728340f3a480aaa43900ee4cdf7a3

          SHA1

          c9b1ca7ecb23dbd9aaaa93e280e6bac9bc66b7e0

          SHA256

          714c247ba739d12a9d0125dee19aea156844050e1a4abeca93e6505c169fc407

          SHA512

          fb0d7923939c749c2a3a1617606ee3e526f4914f05064443ada59ad36d34f6d924e4ba086c313ff8cfad4128c6a606db3b972a3cee69d6da94bcbcb7edbed67b

        • memory/2588-2820-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

          Filesize

          64KB

        • memory/2588-2822-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

          Filesize

          64KB

        • memory/2588-2821-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

          Filesize

          64KB

        • memory/2588-2824-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

          Filesize

          64KB

        • memory/2588-2823-0x00007FFD57310000-0x00007FFD57320000-memory.dmp

          Filesize

          64KB

        • memory/2588-2853-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

          Filesize

          64KB

        • memory/2588-2854-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp

          Filesize

          64KB

        • memory/4908-0-0x00000000031F0000-0x0000000003200000-memory.dmp

          Filesize

          64KB

        • memory/4908-2805-0x00000000031F0000-0x0000000003200000-memory.dmp

          Filesize

          64KB

        • memory/4908-2804-0x00000000031F0000-0x0000000003200000-memory.dmp

          Filesize

          64KB

        • memory/4908-1-0x00000000031F0000-0x0000000003200000-memory.dmp

          Filesize

          64KB