Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 15:17
Behavioral task
behavioral1
Sample
202409298911139e0686509cbf44954ba2ba6675darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
202409298911139e0686509cbf44954ba2ba6675darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
202409298911139e0686509cbf44954ba2ba6675darkside.exe
-
Size
150KB
-
MD5
8911139e0686509cbf44954ba2ba6675
-
SHA1
f16aad9a562b1de55e33b2de23abaa7eb0a4a5c7
-
SHA256
4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc
-
SHA512
d20a28ac9987409dfb450740f904138e7ffb5ce16cb7ae13b29061b990136e472cef56427e35a337d07d100e6a6c3ddf08c82a6d402f97c468b73ad8c2d4f6a1
-
SSDEEP
3072:AqJogYkcSNm9V7D5KbhIJ+2EE9ZzoZmT:Aq2kc4m9tD5KmJ0EnMZ
Malware Config
Extracted
C:\tMAXi4m5p.README.txt
Signatures
-
Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation BD17.tmp -
Deletes itself 1 IoCs
pid Process 880 BD17.tmp -
Executes dropped EXE 1 IoCs
pid Process 880 BD17.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini 202409298911139e0686509cbf44954ba2ba6675darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPfqublapb2vl7evrjrr0qqe20d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPbyr0y3go4xi9bvaz57br90lvb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPxw3aj91s9d_hi3i6d9uysju9b.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 880 BD17.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202409298911139e0686509cbf44954ba2ba6675darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BD17.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp 880 BD17.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeDebugPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: 36 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeImpersonatePrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeIncBasePriorityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeIncreaseQuotaPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: 33 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeManageVolumePrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeProfSingleProcessPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeRestorePrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSystemProfilePrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeTakeOwnershipPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeShutdownPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeDebugPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeBackupPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe Token: SeSecurityPrivilege 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE 3064 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4000 wrote to memory of 1172 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 84 PID 4000 wrote to memory of 1172 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 84 PID 5016 wrote to memory of 3064 5016 printfilterpipelinesvc.exe 91 PID 5016 wrote to memory of 3064 5016 printfilterpipelinesvc.exe 91 PID 4000 wrote to memory of 880 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 92 PID 4000 wrote to memory of 880 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 92 PID 4000 wrote to memory of 880 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 92 PID 4000 wrote to memory of 880 4000 202409298911139e0686509cbf44954ba2ba6675darkside.exe 92 PID 880 wrote to memory of 4608 880 BD17.tmp 93 PID 880 wrote to memory of 4608 880 BD17.tmp 93 PID 880 wrote to memory of 4608 880 BD17.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe"C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1172
-
-
C:\ProgramData\BD17.tmp"C:\ProgramData\BD17.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BD17.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4608
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4644
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3E6EA264-D3D0-4D91-8BD6-E0312BD20D8B}.xps" 1337209664476000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD506b6efba7364d3356aee37ea5e4dd1d3
SHA168e8eb6f2b8d33c323fa9f98f396f917e50f183d
SHA256cbb2f9090bf884d6ce5fdae24aee25d012ea581e1c55fca0c3065617b4844af2
SHA5129c463af28c73e6ca8985d4125c7ad5aee5dca6e051e760198bea19d370df7ee62548313313b4c850afde0547843d2625d2a2b399652b1e97a40863e1edcecc0c
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
150KB
MD528b70086ebf5147fe3dbddd469d57068
SHA188231a9adfe3aa72f5ae05a8e13b51db924fb531
SHA2565b45d424926521823c61b190517c74b5afe8c83947a0b0c13f36f41d14a9d67d
SHA512974506416af6167f25971af898043e498fb32fa11f1431babf2096308a9a8d2696055bff6aae89addaf3bf6248f6b65b403eb3e532c8515d71b7e14e3552ab46
-
Filesize
4KB
MD5b1aca1e814a114d49fb9feb20e896734
SHA1c124dee2c037e0a218503ae0572d2de17576a09a
SHA25691ab3856b0c00776978fbefa5e2b703890c4a94cfb537796dea3c0219a7ada91
SHA512904f109aabd218054f48d3a81dc55899311a6c3997b24d85d7928360c3d2126db272682ba43d729f55276d631484489ee54375c77cc7d1150bde23728e2b7237
-
Filesize
3KB
MD53b2c7f51fe80e142a7dbbf0d3565e398
SHA1dc32f374357a8057bbe023e9e2ba9755b04388b3
SHA2568ce7b3a993e3ab7bec11db06274026cc24cd6f04649db19e0b8a2e3c64177803
SHA5120fe73ea135598b8ad13aa50b11e6ef82a2306e7bb66cf4f0b93747b64d233f42de049a32ff75b1bc315aa2b6f29c3524cfc467ba6782f2cbbbee526d39e88318
-
Filesize
129B
MD5f2e79d80f412c90e84167969861836b5
SHA17e53e6fa90577cead61aa77efe97a281b551749a
SHA25641a312a722e69fa33cc3b56a3e9e6ebef3597985b608666010129f64d38aa1a4
SHA512f6915955bbb2b41dd1c86f8c09a46be2a8327df5543d450a83834ad93bae52292274d390edd023ad15d47c4a8f1e9da478c019e43dcfeef1deeab8ae44f2da65