Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 12:23
Behavioral task
behavioral1
Sample
2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
-
Size
145KB
-
MD5
8005b63da0a2688ea287976c6f943abe
-
SHA1
2c84df5324d1044f2fba0385319d0248dc5beb4b
-
SHA256
0b96b4946ea996ef7d79b7d2d4d5bf3506457f26a47e835492c53f587f0a6111
-
SHA512
89077d40eaf1f3cd1940d5f26796fee7634e38d63870861b85002aa4b66412f7741980d7c587a45f795fc3b27b71adb19776b20dc06f5b70b5efdaa10171ae25
-
SSDEEP
3072:P6glyuxE4GsUPnliByocWeppfpra9wpAm9bXFKo0bW:P6gDBGpvEByocWepm9mpj0
Malware Config
Signatures
-
Renames multiple (357) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2484 12A6.tmp -
Executes dropped EXE 1 IoCs
pid Process 2484 12A6.tmp -
Loads dropped DLL 1 IoCs
pid Process 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\IPjaex13M.bmp" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\IPjaex13M.bmp" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2484 12A6.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12A6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPjaex13M\DefaultIcon\ = "C:\\ProgramData\\IPjaex13M.ico" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.IPjaex13M 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.IPjaex13M\ = "IPjaex13M" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPjaex13M\DefaultIcon 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPjaex13M 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp 2484 12A6.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeDebugPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: 36 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeImpersonatePrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeIncBasePriorityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeIncreaseQuotaPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: 33 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeManageVolumePrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeProfSingleProcessPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeRestorePrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSystemProfilePrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeTakeOwnershipPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeShutdownPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeDebugPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2484 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 32 PID 2644 wrote to memory of 2484 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 32 PID 2644 wrote to memory of 2484 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 32 PID 2644 wrote to memory of 2484 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 32 PID 2644 wrote to memory of 2484 2644 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 32 PID 2484 wrote to memory of 2368 2484 12A6.tmp 33 PID 2484 wrote to memory of 2368 2484 12A6.tmp 33 PID 2484 wrote to memory of 2368 2484 12A6.tmp 33 PID 2484 wrote to memory of 2368 2484 12A6.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\ProgramData\12A6.tmp"C:\ProgramData\12A6.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\12A6.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD56b8c78b32b1bd3978f2e4924f7d7f84c
SHA12203a724f075d2611d94830713515bd965a2dc7f
SHA256d6d86ec3925a24b87d1f7abe787c7b64f033af45e026f945cd29e0eabcdeeff0
SHA512b98b022b57d8eb98027fc5c14505caea21c8c6447eec5a936e287693e52947b507b6e4f156f28a030c1aed84350bace5c33e30b9aef72fb283a2202841f39bb7
-
Filesize
334B
MD588f6599d557ec2b7a12b3ab4faf3c364
SHA11bc917d0543deee57c7e13f7ed182c8692e69458
SHA256781cf1f98ccd2cf18079967e28996a722e75fa28cb2ecc8b638e2efcdf751e8d
SHA512d1633a186dbc849f8c056bd53df4b24f972f170cb4e602b487d89b9762ce78699cf148d70f62272e8e2d13888a73b38910b43c378af8d21102a3fd2e08731d19
-
Filesize
145KB
MD5b98b5bc342b41f973787b82d440def39
SHA12d25f5345bd34a998a5b931c4b5a80c3aca5fcbd
SHA25685a37399f7dbfe1a22baa59c921bd3c3717831ea57f0cf0ef8ca02ab66c67fd4
SHA5126b3e869ab4f741a73c321f16e63fa03d2ac01b7bda715b281692c861c509ffe791e2c9199c05161c29994a6e6b0f252589bd74f239649ce9493e1a1d863a69bf
-
Filesize
129B
MD5e45d5c5fc9e71477d4e0114b88a1fb36
SHA1061f0a84ad71e894276a787f134c18d2a8dc46bb
SHA256e99ac1938d777196780971108ecd2c9aae3d091749295f4b8d2ceb44a7a9046a
SHA51219cf0918def20d9c36917fed78371dc3657402312fc68f9bc5fa00971cb1bee7b88eccbf5e5d191f1c8559f52968135043aa790e0b6692baf2d293a4e40ddac6
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf