b08194fdeffcc70daccf02c8eb3f9c15ba34cff4052cd670e01822caab93526a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Size

145KB
MD5

2f948f1174f626c357e32082a41b2608
SHA1

6cc04220cc7b08b9d910765d49e63b1f76d5a8e4
SHA256

b08194fdeffcc70daccf02c8eb3f9c15ba34cff4052cd670e01822caab93526a
SHA512

bccdab1d8b34e4612e1e9d0b478dd719fd35be202b2390075ede664a295348dd51dbd78d8009e062ff281a6a9ae7f7f501ef47d47895dac4a5c028f7a52d64bb
SSDEEP

3072:MqJogYkcSNm9V7D5WIlADZSQRhaTgInT:Mq2kc4m9tD5BdOcgI

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

19E7.tmp

pid	Process
316	19E7.tmp

Executes dropped EXE 1 IoCs

Processes:

19E7.tmp

pid	Process
316	19E7.tmp

Loads dropped DLL 1 IoCs

Processes:

2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

pid	Process
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

19E7.tmp

pid	Process
316	19E7.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

pid	Process
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

19E7.tmp

pid	Process
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp
316	19E7.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeDebugPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: 36	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeImpersonatePrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeIncBasePriorityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeIncreaseQuotaPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: 33	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeManageVolumePrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeProfSingleProcessPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeRestorePrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSystemProfilePrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeTakeOwnershipPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeShutdownPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeDebugPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeBackupPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
Token: SeSecurityPrivilege	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe19E7.tmp

description	pid	Process	procid_target
PID 2444 wrote to memory of 316	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe	32
PID 2444 wrote to memory of 316	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe	32
PID 2444 wrote to memory of 316	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe	32
PID 2444 wrote to memory of 316	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe	32
PID 2444 wrote to memory of 316	2444	2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe	32
PID 316 wrote to memory of 2776	316	19E7.tmp	33
PID 316 wrote to memory of 2776	316	19E7.tmp	33
PID 316 wrote to memory of 2776	316	19E7.tmp	33
PID 316 wrote to memory of 2776	316	19E7.tmp	33

C:\Users\Admin\AppData\Local\Temp\2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_2f948f1174f626c357e32082a41b2608_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\ProgramData\19E7.tmp
  "C:\ProgramData\19E7.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\19E7.tmp >> NUL
    3⤵
    PID:2776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini

Filesize
129B

MD5
093ee124391f945e5fefa3fb83f8c3cd

SHA1
fa56a4ec889c3d5052a6c81f443fc2560733bdc1

SHA256
e651c50775dbfba58c5fa2aac22f7001b4a6139c44fa6c88a760554063dc805a

SHA512
45a73a8374adad9633493c9e83b5fd9a398e5c6f1c44a83309a222e04285ac6935180de13058d7d215c1aeb3649f91c89afcef009e02d414054de1a638349209

Download Submit
C:\GmvBLc9qu.README.txt

Filesize
316B

MD5
6a1211c8bf1297f099028cba415b5212

SHA1
1cddb8310a6670a90193876c46f769ced6567eba

SHA256
ed452051b63921e5f64c108047c1433a3015dbba013a650e5016e438e129059d

SHA512
86ce312d603797e86cbf841622d416167b6b529c316c9a5ca17a2fc8c03c4f8180ba3422a88aa3a304fbcbb61b6712433468448fb293077835524b4907c0180c

Download Submit
C:\ProgramData\19E7.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
145KB

MD5
9f5a27fcffdbae027d47ef8e781401fa

SHA1
782a2678d5d3f91e0c56e60a52c468e0a2e508f5

SHA256
e043cc5cd8640eceb29e0a9a6320a3b62bda4822029782474646e1cce22ab4e1

SHA512
ff4218cec4658aba0f6cadca5917d88ac63980da95ab8fafb2f735db64f9419f1c1ccd8f6766852562fa1ef17979c8bb6ced19377f27118ff0349401f0fe8964

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\DDDDDDDDDDD

Filesize
129B

MD5
cc96acc8f068283c527ee9ebb6bed023

SHA1
c6ad4162bd9b60e4050125ffe567bd545829ef60

SHA256
c6e4a8315ed616b31d3399c7ca204b64a12f640270e0e301b3e8c2ff90fcb008

SHA512
e01dcccc5eb913f34fc4353e137712af2f26f5378db129bd1af247566f0549756f06e2037f9f0059cb4e18971f6c1f66b72dcc0589603140e6b71a061df1bdc6

Download Submit
memory/316-856-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/316-855-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/316-854-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/316-853-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/316-852-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/316-886-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/316-885-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2444-0-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download