Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 01:03
Behavioral task
behavioral1
Sample
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
-
Size
147KB
-
MD5
0ebb815bbd3f1b249d4a86d18e5f064b
-
SHA1
474fea9f172a6d6857a133755953330ae802409b
-
SHA256
6fa257b42aa0e3323fbf6ca0026f331fe58447e22224d2f0ea8e533bd9eed096
-
SHA512
a427c4d7ed3d9565c9051801ea6d38ffbd293b2dee0ad54e71b573bfee5030de4c9ca7132373ce90a051201d1c01e07990a877c07e5ab6c73017140e580a24ba
-
SSDEEP
1536:8zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD4056A76O4xEwyamTS8GHViXqWB:zqJogYkcSNm9V7Drl7Z4q3S4XqWbJT
Malware Config
Extracted
C:\dZGlueXae.README.txt
Signatures
-
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1772 5D2D.tmp -
Executes dropped EXE 1 IoCs
pid Process 1772 5D2D.tmp -
Loads dropped DLL 1 IoCs
pid Process 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1772 5D2D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5D2D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp 1772 5D2D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeDebugPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: 36 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeImpersonatePrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeIncBasePriorityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeIncreaseQuotaPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: 33 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeManageVolumePrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeProfSingleProcessPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeRestorePrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSystemProfilePrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeTakeOwnershipPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeShutdownPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeDebugPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1120 wrote to memory of 1772 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 30 PID 1120 wrote to memory of 1772 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 30 PID 1120 wrote to memory of 1772 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 30 PID 1120 wrote to memory of 1772 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 30 PID 1120 wrote to memory of 1772 1120 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 30 PID 1772 wrote to memory of 2408 1772 5D2D.tmp 31 PID 1772 wrote to memory of 2408 1772 5D2D.tmp 31 PID 1772 wrote to memory of 2408 1772 5D2D.tmp 31 PID 1772 wrote to memory of 2408 1772 5D2D.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\ProgramData\5D2D.tmp"C:\ProgramData\5D2D.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5D2D.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5547cde25c351bd15a133cd3d4445825d
SHA174a7da6ee63c53a906b6ecb992aad2625065df2f
SHA256b713b6c0d177c38a644f0389ee3a8a6f9a7d62eca161c08e953b14d9456ed7ea
SHA512ed4119d8815d2ba3260e2459e41f418a9267649dd032ef9b4985e8c0e30d04615f30285cfebe6915a4b42dc052611389e7cb03a5770b16cd4215c2cbc0bfbfcb
-
Filesize
147KB
MD5938b867168788b54a8df029c45ef4776
SHA13441453db254b21cf732a1e61f89a184bcc4853f
SHA25663a7367fe086b9bdbc837e6b779824966db5a2216d02e413ee357921589c805a
SHA512fc00185f0b6b7ecf8f64ddbdba7070f7612dd514209b70a93bf2465502af8b02ddd0939e2bbc3aa3e806c17040df54548deb0369a2d3808af2ebf95bc709dd56
-
Filesize
1KB
MD5194200178a1b5be9df886d8b4820dc97
SHA16241b893856c6ff3b43ab900f06a1d34d52b23ee
SHA25650f815a145695bc049ba880c4583dc3417a29b8a94613918ebefb0e5be16eb75
SHA512c67d782579620c8438b4557b0f6a2c806880eba210ac034d2b46189bae7aea167c871582ce00adead3cd6341c5240cb6f820318e91d58a909550106ad6eba9bc
-
Filesize
129B
MD58e30bc2ca510317e2b3c7ffeb499d5d6
SHA1e0ba6942d90a35bd1f35a3a19dffb756dbe721e4
SHA256c2ebcdf724c62b6ec1151a2411dfb62ee3f600f1c699e66320f5d4159a5d9df5
SHA512aa44dfa3e3fcb6cc60c3ab6a3af7e65862ef99ddd3f0075371633bcb32b8d9bd1b7cf84b32a1462c01aea2a854f9566c2272c29a705dcc5ce8bd8fdd17dc0fdb
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf