Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 20:23
Behavioral task
behavioral1
Sample
2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe
-
Size
145KB
-
MD5
913458a5e9eb4026c62609375b534227
-
SHA1
9739ae38effef090b3b558531e01bf2252bd018f
-
SHA256
c1e76af376454bab05e44634ca4e017e7607e41c9df6e067162d28064a1c7cd6
-
SHA512
5b653989cafdbd586216ccd11d243001b066b044df93478f574577f170b72a84b3831c89933c023ac458d8c2d4fb2fe4cdfcac0608806258150c3df101a79275
-
SSDEEP
1536:DzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDXcl74OOjAp31AyNpCSV6O9xv2T:cqJogYkcSNm9V7DG98YlXjCSV6O9R2T
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2220 D836.tmp -
Loads dropped DLL 1 IoCs
pid Process 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2220 D836.tmp 2220 D836.tmp 2220 D836.tmp 2220 D836.tmp 2220 D836.tmp 2220 D836.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D836.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeDebugPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: 36 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeImpersonatePrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeIncBasePriorityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeIncreaseQuotaPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: 33 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeManageVolumePrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeProfSingleProcessPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeRestorePrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSystemProfilePrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeTakeOwnershipPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeShutdownPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeSecurityPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe Token: SeBackupPrivilege 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2220 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 33 PID 2396 wrote to memory of 2220 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 33 PID 2396 wrote to memory of 2220 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 33 PID 2396 wrote to memory of 2220 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 33 PID 2396 wrote to memory of 2220 2396 2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe 33 PID 2220 wrote to memory of 1000 2220 D836.tmp 36 PID 2220 wrote to memory of 1000 2220 D836.tmp 36 PID 2220 wrote to memory of 1000 2220 D836.tmp 36 PID 2220 wrote to memory of 1000 2220 D836.tmp 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-21_913458a5e9eb4026c62609375b534227_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\ProgramData\D836.tmp"C:\ProgramData\D836.tmp"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D836.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1000
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c1be35f349fdc7c85a78ae55274035ac
SHA1ac9e3d0e6d369849dd62ff72ef1715147f97a4d0
SHA2568d46e51e14b8a8aa1d2eb9967d8aacdeca6ae8f067519c505b9fcfcf7f11f513
SHA51275d36d439f579fad486ae274383bcd45861556e2d372b75017bde9540931879ccd2a73e7879d6bd9bf4157557a87dc8f0d218039d8b98c8ed72c651beb35faeb
-
Filesize
452B
MD52c8a477210bc402025a4f4e41c2d7d39
SHA16a0712f23a5804431f12a8d9d6c46dba547b3fb7
SHA2566ef1c87c6bb2394097048c2d7495f228e53bc59a3a1232ad389f21c166432d76
SHA5123cb182a1e90a0c1576719b0b021e16f4ddfb26f225a88daff520c1b9226fb1d10cef96cba0df73feea81d9cc597a210f9120c2c1ab8bc2b5bb931af865ce8550
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
129B
MD57a5afefa71df7e4361c2dbc503257e4a
SHA1e2d4b6ac6c718aaf154ea383c7fb60bb96b2879c
SHA256f6b6e1adf3cb9ac8e3bf314aff9a34d8a52cbf29daa203f8a766d5d826be4c55
SHA51286e3ef8cd01887dd893e2bc3dc598e0058110ddf0f6e078b79689acb3ff91c8cba431c0996144c5187c89f3c91be4499e2db035d5e56c393e269b8c8ec0aef9f