Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 11:40
Behavioral task
behavioral1
Sample
2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe
-
Size
146KB
-
MD5
76a0d2ef15e408b4a07f534c8d056b30
-
SHA1
7ddc10e637b0ab439b80a193420b00bcf03c3dd7
-
SHA256
2317d33628eb06af24d1d6d94ff892d6fb6a7ecca24094d477f5c77829ca35c0
-
SHA512
48f709fe69c2aa219ee40167f1f82806fd003b697b6ecc96aa87826670b12533530a9314a4a642e92784ef59b4a97628ab27a4c781695a37d946ca624f6fff67
-
SSDEEP
3072:D6glyuxE4GsUPnliByocWepOsNPfGk21h:D6gDBGpvEByocWeqN
Malware Config
Signatures
-
Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation CC79.tmp -
Deletes itself 1 IoCs
pid Process 1448 CC79.tmp -
Executes dropped EXE 1 IoCs
pid Process 1448 CC79.tmp -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPzx9h1vn4whc0c4wz362iip2.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPg73yjcifx0y714v25p4mlupfb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0epa4c3oi59dov6tb3_xxozpd.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\3WaPinOps.bmp" 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\3WaPinOps.bmp" 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 1448 CC79.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CC79.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3WaPinOps 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\3WaPinOps\DefaultIcon\ = "C:\\ProgramData\\3WaPinOps.ico" 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3WaPinOps 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3WaPinOps\ = "3WaPinOps" 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\3WaPinOps\DefaultIcon 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 4748 ONENOTE.EXE 4748 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp 1448 CC79.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeDebugPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: 36 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeImpersonatePrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeIncBasePriorityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeIncreaseQuotaPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: 33 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeManageVolumePrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeProfSingleProcessPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeRestorePrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSystemProfilePrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeTakeOwnershipPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeShutdownPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeDebugPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeBackupPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe Token: SeSecurityPrivilege 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE 4748 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3304 wrote to memory of 3852 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 84 PID 3304 wrote to memory of 3852 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 84 PID 3640 wrote to memory of 4748 3640 printfilterpipelinesvc.exe 87 PID 3640 wrote to memory of 4748 3640 printfilterpipelinesvc.exe 87 PID 3304 wrote to memory of 1448 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 88 PID 3304 wrote to memory of 1448 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 88 PID 3304 wrote to memory of 1448 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 88 PID 3304 wrote to memory of 1448 3304 2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe 88 PID 1448 wrote to memory of 4940 1448 CC79.tmp 89 PID 1448 wrote to memory of 4940 1448 CC79.tmp 89 PID 1448 wrote to memory of 4940 1448 CC79.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024092676a0d2ef15e408b4a07f534c8d056b30darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3852
-
-
C:\ProgramData\CC79.tmp"C:\ProgramData\CC79.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC79.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4940
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2260
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{63803C05-34AA-4B8A-97F2-37C1626EBF38}.xps" 1337182445180800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5eac01c2248189bb27123f8225b248c81
SHA189ce7ad637149e3d394eec814a6e8e9fcd045fab
SHA2566068ee66e9705228b194e3a4f921cd34597aef5ccee60d2964dedeaaeeb504b6
SHA512836e10ccc7a128df2a23683a5511a84b82217de40f3811e23d4ca4d3be5d1e352a6527f61d283f90a011ed3656e32ce2850f9eb728f4b6d788d5e6008465302b
-
Filesize
463B
MD56f7db6bb7b29b288b16771cd09f495e6
SHA1ab4c0ef134b8c4fefa75acd18c5f88d6c6870b58
SHA25695d26fea78a10ee5d82d4de5e16bba8077ef038139b3c0fcf7519f2b4c813518
SHA5128ce9df614eae8036043d85d9c3e36d0d0e464e6d3ae288afd6ad538722ef4e48d8910cd2bf34004f7415a6c894654f03fe0f2eb3ffea67e333351818b2d5edd9
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD53a2064963aa0152d344fd19e8419e635
SHA1f1784a8c1b48dcf9986e35d62b07ac724921ebdc
SHA25694e714539fc0cb3f69594cc61b3821b6e7502cf4ce1e91e181ecfa6cf7315b7e
SHA51231e865b471552d7835801e2b355b531fe13d7b8f14bb6189b095c338302a72e64c1d4a9dbfada2dcf4793ae747f24fbee9cd4a276c4163e56a22748f9ecd7ade
-
Filesize
4KB
MD5414875404066c3fbfbf89981a8174683
SHA1aad4511911801d2bf4e58d6e98baf6a339a59834
SHA256dcab3bc541388509e71c4ebf11a8574f4442f3407a4d3c51871bceecf4520c85
SHA5129c78a007f8885a5da1c50b588ed97ba5a1de3e8252c192ec3dff59aaa1d63f4475e04b6eb17b113f1942dd71e052fedccd25f0b2b2f5de1c9cc34f8e327af153
-
Filesize
4KB
MD5e57b0c11c03d8e6822b203e76d0ec87a
SHA1af24da435c04cdccf1f94f95d17b07613201fba3
SHA256153d9a28e221e1ec9c9703fe3979caa5658ff7874e790593cfc28024ff2e9a13
SHA5127ad40fe716b4a2d558c8c8816b536c50555c7b6d3387c4532c3b64b689a599fc376784c6a84bbaa63aeb7be9afcdc1a373aedc62bfc06c1dd732b3e3a5328ed2
-
Filesize
129B
MD58eb94c03cfaf91cb7d057d118d4d25f3
SHA1e98775382eefc8eaebc8bff6cfa30ab358f71ea7
SHA256e728693f08563a940673227a2fb8add6f9e9c24fd3dce2f19b9a7e8f12c1f564
SHA512c75b3466045a39eceecd86f83f2d42ed50478f5e51fe02e4133e7558de0314632d49d09f33e64fc45e97811cedf4022e468ed9cb49c66477c9e0fa17e456c40d