Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-07-2024 00:01

General

  • Target

    2024-07-05_28516542f607440d0e58e211163f3e71_darkside.exe

  • Size

    147KB

  • MD5

    28516542f607440d0e58e211163f3e71

  • SHA1

    8932290b8859c41bbdab2f3edc89223e0584c3bc

  • SHA256

    6338cb84816874aa4365f23aac592ef3b0ead42975b0a8fa8cdac554fc11dd6a

  • SHA512

    231c0dc144c1af65e1309f068174c18d11fd371942472d0a994f856df1cb30c889a00a80b70448509ec91ae4c3e7c8215eb242be9ed8ba799beef98d700bccdb

  • SSDEEP

    3072:p6glyuxE4GsUPnliByocWepBaCB8b8UGrr:p6gDBGpvEByocWezOlC

Malware Config

Signatures

  • Renames multiple (625) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-05_28516542f607440d0e58e211163f3e71_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-05_28516542f607440d0e58e211163f3e71_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1720
    • C:\ProgramData\293F.tmp
      "C:\ProgramData\293F.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\293F.tmp >> NUL
        3⤵
          PID:4332
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4104
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4EBBDF12-7A8E-4A61-825C-D594086D8D9F}.xps" 133646976918290000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1684

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2753856825-3907105642-1818461144-1000\YYYYYYYYYYY

        Filesize

        129B

        MD5

        7bc492e4d073b3072ba6e191df06d399

        SHA1

        f0fb11e70d05f69161c0a5bb0015a47fdd043236

        SHA256

        5d1452bb46516956891704d1aa0d79d19d899e872ab31752eac6cf622a80200b

        SHA512

        ee13d6dcb02e03e43d1c7dd66c121a8a4fb38c94b0a0f86e2864d744b05c0c4448026166c573834c0b7e52f8176403791c844e1d0776ff10c0be368718ffa283

      • C:\ProgramData\293F.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

        Filesize

        147KB

        MD5

        abbaaf7dd66e491abaec577e0ad717bd

        SHA1

        ff975bfb0deebcbd86450dd914a11c884fae6caa

        SHA256

        4402b11f413025af0bbae0cb46def4652e9625de1db928dd6e8e37b068075ecc

        SHA512

        753c271996d3af8587ab97665c0d344a3857f33f95283105e00b118142c49085acb7930943e2e811c6e1904e2a16a7429c566116486d32d884a87b16cb6ffc3c

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

        Filesize

        4KB

        MD5

        92cbed56602c275f0accf281bea5dd6d

        SHA1

        af576d64ca9dff97990ca78b4e93ae60124829fd

        SHA256

        3b1f9e0cdfa886639d3ea12b87d59372238deaadaf592c41a53fb190c0adc457

        SHA512

        b0fdd0681257296699c21ee52db49be1f3c5b2a1b9bd82b6d298d37b13bafbbacd543e23edc71f32540ea7ef7362426ff935613228a32520c37a513404a0e343

      • C:\jK8voaKLl.README.txt

        Filesize

        1KB

        MD5

        fe260d259877d978c354c152a4afd9ee

        SHA1

        0558c0c395b6a1d1e1ea6249cb8c753510895271

        SHA256

        86b4b2c76bdce0ac995ead72a55f6aa04a8f387f43559c95c1b39c4c10b18603

        SHA512

        4bf013d0b05482602dfb6415fce225043158f978c4d17b1d7f5835e52e30c62db5cc990adc9bc6a3895f71b45a64facffa6552cb096a08fb0a1acd6d59635b64

      • F:\$RECYCLE.BIN\S-1-5-21-2753856825-3907105642-1818461144-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        5054820078979d6b45a3a19ee96335db

        SHA1

        74c83ef16ad81da40b4d7a255d7f7c26978fdc11

        SHA256

        fa228597b852c3c410f96efbca3417a0e3e9961609656651ff9947d5bffa647d

        SHA512

        d2da278f7a226dbdafa4288c072bbc93fec5bba61b830a088c603594dbdf2eb39d71dca8f9ea43be5dda2927a9df329821df0635c48bf1c3e0f4136e2e7fec11

      • memory/1684-2986-0x00007FFA82B70000-0x00007FFA82B80000-memory.dmp

        Filesize

        64KB

      • memory/1684-2990-0x00007FFA82B70000-0x00007FFA82B80000-memory.dmp

        Filesize

        64KB

      • memory/1684-2988-0x00007FFA82B70000-0x00007FFA82B80000-memory.dmp

        Filesize

        64KB

      • memory/1684-2987-0x00007FFA82B70000-0x00007FFA82B80000-memory.dmp

        Filesize

        64KB

      • memory/1684-2991-0x00007FFA82B70000-0x00007FFA82B80000-memory.dmp

        Filesize

        64KB

      • memory/1684-3020-0x00007FFA808A0000-0x00007FFA808B0000-memory.dmp

        Filesize

        64KB

      • memory/1684-3021-0x00007FFA808A0000-0x00007FFA808B0000-memory.dmp

        Filesize

        64KB

      • memory/2844-0-0x0000000002B20000-0x0000000002B30000-memory.dmp

        Filesize

        64KB

      • memory/2844-1-0x0000000002B20000-0x0000000002B30000-memory.dmp

        Filesize

        64KB

      • memory/2844-2-0x0000000002B20000-0x0000000002B30000-memory.dmp

        Filesize

        64KB