932448031d067a602b8000e2ecdc6541d2d3e085b276d7db84785e1511b65b07

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Size

146KB
MD5

ba0f3824fd072544573c12333c62f98c
SHA1

072e25f82f2e9ae80358c4bab85f12635051cf0b
SHA256

932448031d067a602b8000e2ecdc6541d2d3e085b276d7db84785e1511b65b07
SHA512

a8e7dea7ac6cb66a1293a26f0c41de483673885d7ff44e43efd28e1dd10d48172817a2c78a3312f8ac0ce22f6f385f56c39905699682101b3a2ca70b8205e917
SSDEEP

1536:KzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD7uGRWaa9aZoRspbQuIUyz:5qJogYkcSNm9V7Dq4SuIT

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (385) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2380	C88D.tmp

Executes dropped EXE 1 IoCs

pid	Process
2380	C88D.tmp

Loads dropped DLL 1 IoCs

pid	Process
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C88D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp
2380	C88D.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeDebugPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: 36	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeImpersonatePrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeIncBasePriorityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeIncreaseQuotaPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: 33	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeManageVolumePrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeProfSingleProcessPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeRestorePrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSystemProfilePrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeTakeOwnershipPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeShutdownPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeDebugPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeBackupPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
Token: SeSecurityPrivilege	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2380	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe	32
PID 2976 wrote to memory of 2380	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe	32
PID 2976 wrote to memory of 2380	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe	32
PID 2976 wrote to memory of 2380	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe	32
PID 2976 wrote to memory of 2380	2976	2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe	32
PID 2380 wrote to memory of 1464	2380	C88D.tmp	34
PID 2380 wrote to memory of 1464	2380	C88D.tmp	34
PID 2380 wrote to memory of 1464	2380	C88D.tmp	34
PID 2380 wrote to memory of 1464	2380	C88D.tmp	34

C:\Users\Admin\AppData\Local\Temp\2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-01_ba0f3824fd072544573c12333c62f98c_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\ProgramData\C88D.tmp
  "C:\ProgramData\C88D.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C88D.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini

Filesize
129B

MD5
55edc58ee23bd005faf633813a5c55a3

SHA1
b03369c49bc8ff3eb2f0ca39b0788e631a900d04

SHA256
62481862aa62d36ea2f0d66c5f360fa3270a0c3abf0ae6b0dbadd4e7c790aabf

SHA512
b9d520c42e7a1acc1d516208ae053c8012dd374890862b74e02c1d26e0bdfae2c7a9a657bf2c4fd8a092c9de30a6b36cbbff1375a51e65c8d45596df1af80e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
146KB

MD5
15872ea387be553192431407b0d2aefb

SHA1
34174faad8cdf4d44dc38bd8e99e9bda8c899194

SHA256
14c30eee8b1fa9a1145d2ba38517ffa0467a4f58a4d00925d16c7ed1c691fe2c

SHA512
3c0a4bbd68c32be8e2340247ac5e4f0c579c5ee209c575e4738cdf4c17729930717b9cd1cb3656b635f9ebd97d6101930772e12bb8b13d656861282e628e38bf

Download Submit
C:\VeA5vab0N.README.txt

Filesize
942B

MD5
e20a9014ed71b2c304bb87faab2fdf6b

SHA1
c1cce70fa33ec7cfd52187acc490f0130f424012

SHA256
ef9c4c4228714c697598358afe82b9a6a1e513947cff238d9b3c0a9bf92498fd

SHA512
7503f63eeed77320b182f3cc55a3cc6eca6f9dbfac51b5c6bf6ddf1be8a3d2f510eecbb8fbcee3c513aaee1e9b37195f2250da8b40f934993d7b596a59cab802

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\HHHHHHHHHHH

Filesize
129B

MD5
7b499ac8950b9b492fbd7b276bdd91a6

SHA1
41bccac66b32ae9ec3cb0b6ebc088deb067acce7

SHA256
d68f717d7cc694009ffc625e1ab2d3e2d43387f2cbbb11dd3a3ba87b46875311

SHA512
b7c4c750eea994df022ff6a72be25d696c506d09933afe98cf4029994099d545773f24c372b8da635e9d5c620d62a8e8f6f93063f2d93953bfb2027d27d56fba

Download Submit
\ProgramData\C88D.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2380-1032-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2380-1035-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2380-1034-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2380-1033-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/2380-1064-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/2380-1067-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2380-1068-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2976-0-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download