Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 15:17
Behavioral task
behavioral1
Sample
202409298911139e0686509cbf44954ba2ba6675darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
202409298911139e0686509cbf44954ba2ba6675darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
202409298911139e0686509cbf44954ba2ba6675darkside.exe
-
Size
150KB
-
MD5
8911139e0686509cbf44954ba2ba6675
-
SHA1
f16aad9a562b1de55e33b2de23abaa7eb0a4a5c7
-
SHA256
4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc
-
SHA512
d20a28ac9987409dfb450740f904138e7ffb5ce16cb7ae13b29061b990136e472cef56427e35a337d07d100e6a6c3ddf08c82a6d402f97c468b73ad8c2d4f6a1
-
SSDEEP
3072:AqJogYkcSNm9V7D5KbhIJ+2EE9ZzoZmT:Aq2kc4m9tD5KmJ0EnMZ
Malware Config
Extracted
C:\tMAXi4m5p.README.txt
Signatures
-
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 692 77DE.tmp -
Executes dropped EXE 1 IoCs
pid Process 692 77DE.tmp -
Loads dropped DLL 1 IoCs
pid Process 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini 202409298911139e0686509cbf44954ba2ba6675darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 692 77DE.tmp -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202409298911139e0686509cbf44954ba2ba6675darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77DE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp 692 77DE.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeDebugPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: 36 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeImpersonatePrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeIncBasePriorityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeIncreaseQuotaPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: 33 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeManageVolumePrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeProfSingleProcessPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeRestorePrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSystemProfilePrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeTakeOwnershipPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeShutdownPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeDebugPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2748 wrote to memory of 692 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 32 PID 2748 wrote to memory of 692 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 32 PID 2748 wrote to memory of 692 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 32 PID 2748 wrote to memory of 692 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 32 PID 2748 wrote to memory of 692 2748 202409298911139e0686509cbf44954ba2ba6675darkside.exe 32 PID 692 wrote to memory of 888 692 77DE.tmp 33 PID 692 wrote to memory of 888 692 77DE.tmp 33 PID 692 wrote to memory of 888 692 77DE.tmp 33 PID 692 wrote to memory of 888 692 77DE.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe"C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\ProgramData\77DE.tmp"C:\ProgramData\77DE.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\77DE.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5788ea1a02f43ffdf92c76e9806e95022
SHA10b872260275da92cd17cdb6629994c5c09bbc383
SHA2567787b00e63900b4927b4f6c11897ba988349549e81aa809d5505fd553889b753
SHA512cb8efbb790a32b2c848cad8bb4542df39a79601106421c26b9f7e66be899351dedea996f7eafcb7ab31108eccccf996b562687e1352eaf4852b22c189f283ba4
-
Filesize
150KB
MD531883040f66a7c39887b7e9e08e282b7
SHA12ed0d09006c1911c3ad960676ba702cf2265eab7
SHA256a22160da1af07685fce9a5fc86b5b82c461956f23f333c9b999013a8412b6756
SHA512fd6f3329e3ec8633d4d55e1214321e73e05a62069b599ad6bba714c715fc30eb259dcfda4f91efd4fc8f7967c5306ffe94ef16181bc6b5673b2368ff6e83612c
-
Filesize
3KB
MD53b2c7f51fe80e142a7dbbf0d3565e398
SHA1dc32f374357a8057bbe023e9e2ba9755b04388b3
SHA2568ce7b3a993e3ab7bec11db06274026cc24cd6f04649db19e0b8a2e3c64177803
SHA5120fe73ea135598b8ad13aa50b11e6ef82a2306e7bb66cf4f0b93747b64d233f42de049a32ff75b1bc315aa2b6f29c3524cfc467ba6782f2cbbbee526d39e88318
-
Filesize
129B
MD564d1cc450aedf43f70872c8412d19e1e
SHA1cb6577cc8d0369d4ace15e5355fca72d73c4fe28
SHA25686d015b50d4f996c655d0569c53b07f333397ee5fe8b44873dd620ef63c6ccc9
SHA51217a0bfa2cc7e4a8cae71fd49da5b7631d1a87d721b1027350136f53e356d4ea2172c93ba7157cb11a08c040dd2fce8ef694f17ecd1bbfb3b5e25a0b8ac0ffd49
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf