cd4a001ca9419ac6e0220333a5d0a843698abf5bab58040fdf1725df6e2f34ed

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Size

146KB
MD5

8b4ff23ebd887a44d0383ef513aca063
SHA1

ec4d050d74b2088ccdc5e75955a011506e1b1687
SHA256

cd4a001ca9419ac6e0220333a5d0a843698abf5bab58040fdf1725df6e2f34ed
SHA512

40e6d5ad6137ddbd552e9902d9671ab26eb678499c1249204445cee7896b887a1f0fd48690d7066667459ef3c8e8a4fb2cdb07a93cc02266e21b1555d7f942e8
SSDEEP

3072:Y6glyuxE4GsUPnliByocWepf3Ggr5QZLkZKXNx:Y6gDBGpvEByocWeZGgFoz

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

27EB.tmp

pid	Process
1612	27EB.tmp

Executes dropped EXE 1 IoCs

Processes:

27EB.tmp

pid	Process
1612	27EB.tmp

Loads dropped DLL 1 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

pid	Process
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\SsCWUDNQz.bmp"	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\SsCWUDNQz.bmp"	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe27EB.tmp

pid	Process
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
1612	27EB.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe27EB.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27EB.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SsCWUDNQz\DefaultIcon\ = "C:\\ProgramData\\SsCWUDNQz.ico"	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.SsCWUDNQz	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.SsCWUDNQz\ = "SsCWUDNQz"	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SsCWUDNQz\DefaultIcon	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SsCWUDNQz	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

pid	Process
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

27EB.tmp

pid	Process
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp
1612	27EB.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeDebugPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: 36	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeImpersonatePrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeIncBasePriorityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeIncreaseQuotaPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: 33	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeManageVolumePrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeProfSingleProcessPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeRestorePrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSystemProfilePrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeTakeOwnershipPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeShutdownPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeDebugPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeBackupPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
Token: SeSecurityPrivilege	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe27EB.tmp

description	pid	Process	procid_target
PID 2392 wrote to memory of 1612	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe	32
PID 2392 wrote to memory of 1612	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe	32
PID 2392 wrote to memory of 1612	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe	32
PID 2392 wrote to memory of 1612	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe	32
PID 2392 wrote to memory of 1612	2392	2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe	32
PID 1612 wrote to memory of 864	1612	27EB.tmp	33
PID 1612 wrote to memory of 864	1612	27EB.tmp	33
PID 1612 wrote to memory of 864	1612	27EB.tmp	33
PID 1612 wrote to memory of 864	1612	27EB.tmp	33

C:\Users\Admin\AppData\Local\Temp\2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_8b4ff23ebd887a44d0383ef513aca063_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\ProgramData\27EB.tmp
  "C:\ProgramData\27EB.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\27EB.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini

Filesize
129B

MD5
69c23af2721caf1b9f795af22314164a

SHA1
3bd30e5fde2801619314f5c7862083f51b9f082d

SHA256
c4b51b0923d2ec1933060d03c169c44093b19655a4d80e9cd2b095592a38b215

SHA512
d874f58a4a5c91a2d95243d9df582396ba3e8d488e0d28a707de7f99ba218777078846331fcd522c5f51d2fdd49a7d817cab1614bb7b489f515c3a891d1de111

Download Submit
C:\SsCWUDNQz.README.txt

Filesize
343B

MD5
72b1ffaeb7de456483f491ecceadb088

SHA1
ee1953abc295245ab01f35a4a823883826bf2b41

SHA256
eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

SHA512
c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
146KB

MD5
e3603be79fef7ce79c97c46783f0d29c

SHA1
ea4b3eb8fe405c5e42ea319264680cf260f22393

SHA256
73194a2a00703beee9263885228ec679bdc5b7bbca3fee6d1489ddbb185dcd16

SHA512
c56eec3a412d77099f58c0635afde67d2663a8a138d2787cbf5e5a10941e48200e9b5c73a95200f1032f972bd2de797fddb38fb2c14e7a2cdb4250fcfd26802b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\DDDDDDDDDDD

Filesize
129B

MD5
df9b70adc649d7081c2bb1cf333da23a

SHA1
f43dee2bdd5839ca276ee215b457d31fb1098cda

SHA256
6be6b02ca84bdd4ee6bb0662f7b0566ac10dbee74437c0acfbf6540657f0a8c5

SHA512
b22a2d9192aeffc88087fc7cbbc2c3b9b68832173c70bcb124025b52518310baa28e58ccba26cd39cd124cc839625d645b29333ec202349c248eeba38ef44d7c

Download Submit
\ProgramData\27EB.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1612-860-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1612-863-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1612-862-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2392-1-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/2392-0-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download