Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 04:50
Behavioral task
behavioral1
Sample
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
-
Size
146KB
-
MD5
e09dd7cca0c6c147ba21b4062e723c5b
-
SHA1
ff6333bdda824e4c13bcd13351bd4bb14aaeab11
-
SHA256
d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88
-
SHA512
603f45dc0b3302739ef6e4727572ecf64cf6f65c80af1e05aa3795fc9ce36849cf0f465bbf8a9f116c8fb3da8d91998ec5582b24503f4f43764e7b3543a94c4e
-
SSDEEP
3072:yqJogYkcSNm9V7DNDgSKet5JXglKso1WT:yq2kc4m9tDjlrJX3so
Malware Config
Extracted
C:\fB1SZ2i3X.README.txt
https://tox.chat
Signatures
-
Renames multiple (325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2848 363D.tmp -
Executes dropped EXE 1 IoCs
pid Process 2848 363D.tmp -
Loads dropped DLL 1 IoCs
pid Process 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fB1SZ2i3X.bmp" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fB1SZ2i3X.bmp" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2848 363D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 363D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fB1SZ2i3X 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fB1SZ2i3X\ = "fB1SZ2i3X" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fB1SZ2i3X\DefaultIcon 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fB1SZ2i3X 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fB1SZ2i3X\DefaultIcon\ = "C:\\ProgramData\\fB1SZ2i3X.ico" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp 2848 363D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeDebugPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: 36 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeImpersonatePrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeIncBasePriorityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeIncreaseQuotaPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: 33 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeManageVolumePrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeProfSingleProcessPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeRestorePrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSystemProfilePrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeTakeOwnershipPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeShutdownPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeDebugPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2848 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 33 PID 2212 wrote to memory of 2848 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 33 PID 2212 wrote to memory of 2848 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 33 PID 2212 wrote to memory of 2848 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 33 PID 2212 wrote to memory of 2848 2212 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 33 PID 2848 wrote to memory of 860 2848 363D.tmp 34 PID 2848 wrote to memory of 860 2848 363D.tmp 34 PID 2848 wrote to memory of 860 2848 363D.tmp 34 PID 2848 wrote to memory of 860 2848 363D.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\ProgramData\363D.tmp"C:\ProgramData\363D.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\363D.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:860
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD51049983e27e16c5ca9aae550343d3a78
SHA112e0a98569f0c01147e332624f7471fca3ca60e7
SHA256d153f0ffa6727d08d4f2b97f0e068380202f32b8153709a15dc64d5fd6a31438
SHA512c09a27ece7cef262772c6aa4d43a7e98b77c9c6c1ce24415a1c2417295ce57695d3ed961c4b70194afc2ad0cdf6d496cb0dcb19e0dd5e893371cf8b6c19ab913
-
Filesize
146KB
MD5298fadf8275954a131f33ba2f6ccdeee
SHA11a8abaad8d2b1fa1707542dc4976156d57e176b7
SHA2565f33f8fe821d4897cc75338c3e94155e5659ce2771912a1834ae26b5e73a6bce
SHA512a9c37af63b1da37ac237c05453ece723625808b81d46ff9e7aa35d7623e7ec8b7bb40e0cc2a8350db5d92783eabf8c3067336cfc0e500d797d10e5405d27770d
-
Filesize
1KB
MD5b6f51f782671437c0c3fc9feedbf49d5
SHA16a63a513e0ed1164c543826b62976c50a0f44cd6
SHA2565550b07d1b15290876c5600afd6eb2bf735be39a1b5e6c28ec32f516ca44b038
SHA5125b36f76f80f6dc396970442253226ff8aafd1879324bb8d333b75fb84a367f82d8c15b892bc48202689b11101b0484d524f529b38433ddbb3435ed494a282d0a
-
Filesize
129B
MD509c42f5cd6ca5adb9e2d715763a6cab0
SHA10e14bd684193d2069656ab847ec95720cd4b0479
SHA256683e0818fb60c11fc055bf4f0c6e6dd11d2d0c227b5d6cc2daff24affaf31beb
SHA5127fad5e5d7ea979d1a444b5d54e3c023d27f83b6d92f03a301a3f62b88c3e014043674763ad6f8c7faefce7e2656e4ce0715f79ae88659e580fe2157447144965
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf