Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 17:25
Behavioral task
behavioral1
Sample
2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe
-
Size
147KB
-
MD5
2827781d295d54cdb5d199c19aef469d
-
SHA1
308b01ec5ba7e3283353bb7cdbf85010017f99e8
-
SHA256
d2468b77968df53b4335668c1a5313dd007d9ab528541bab28f74b4f170988fa
-
SHA512
4afdcf585fb43e5001c77b50377f1d4c9dc2ab7925dceb1ed552e112bce6ea3ec122d18f3c08efb5a5b2e2b7fbf7cd396e53f025d5e7d5f5f3f7d69b8e73e334
-
SSDEEP
3072:36glyuxE4GsUPnliByocWepZaGGtgp8FDJ94dElJnxB:36gDBGpvEByocWe2xZFXhbnz
Malware Config
Extracted
C:\FIPNplZX1.README.txt
Signatures
-
Renames multiple (352) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1588 CA32.tmp -
Executes dropped EXE 1 IoCs
pid Process 1588 CA32.tmp -
Loads dropped DLL 1 IoCs
pid Process 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 1588 CA32.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CA32.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp 1588 CA32.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeDebugPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: 36 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeImpersonatePrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeIncBasePriorityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeIncreaseQuotaPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: 33 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeManageVolumePrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeProfSingleProcessPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeRestorePrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSystemProfilePrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeTakeOwnershipPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeShutdownPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeDebugPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeBackupPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe Token: SeSecurityPrivilege 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1588 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 32 PID 2372 wrote to memory of 1588 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 32 PID 2372 wrote to memory of 1588 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 32 PID 2372 wrote to memory of 1588 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 32 PID 2372 wrote to memory of 1588 2372 2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe 32 PID 1588 wrote to memory of 3020 1588 CA32.tmp 33 PID 1588 wrote to memory of 3020 1588 CA32.tmp 33 PID 1588 wrote to memory of 3020 1588 CA32.tmp 33 PID 1588 wrote to memory of 3020 1588 CA32.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\ProgramData\CA32.tmp"C:\ProgramData\CA32.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CA32.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52be621f525d74cb972d5f7abdcf5e41e
SHA1962073f255caa73e589f7004211314dbfd18d051
SHA256b4c44a08bf39ad780b3989a88d75dc609efbe8b0ede0ab1c6d4fb94e5b803ed8
SHA512aeea7f487fbb414630bf2afcb59fa130d51dc21ecf4211df9e1be4005901fae5ab7b3302e8d6c68b02a85a0978aaeae30d54d571fd1d2a5deeeda2692982dd8b
-
Filesize
1KB
MD5c3803489d648c667e76f7e69bbf99425
SHA1923be0e99a0d0d1e7c74d25629a4bceae1beecff
SHA256ab2faed7f50018bcb6759604ce44dfa0def3c0ac5ce666bb1ead807cca7f4e8a
SHA51226ae96dbf3f3864f8a512c68e9716b597ad0ae663fd2c36085e76cb25c1af35e3bde9ca74579c417f66a9889264292de18650b5123edc7fc92e6a9df7cc372e7
-
Filesize
147KB
MD5bbf94c46ffdeea57bf36cc4e4bbdbd15
SHA16e163036d723a9670e990edb08e91304438424c7
SHA256a6706123ae218fe0fbd5c684717bf90280278284c2cc14ef2cab8a8186715d1f
SHA5123432729d210e42743946f5e7bca9b9a49ee96cc3fb6ab99d37cf4e929d942516a451a5ee6740a75609acb24c5ace7dbf678b34e6751a3883a322afc13b16f808
-
Filesize
129B
MD5c3c5a2a04a62bb20e7031689b12c62cc
SHA19ee01b340013a453a83e01c9f40fde3b508abafc
SHA256609af5fad29309300e0273639b50d63d85967311e2c441bcd3f5e1cc65946ff2
SHA512f3d647bd571ab7b1a68459dcab449c9a78049d7d7a03584d6950675f361205d9991f844c98ac624dbbb05ee476aba27da10545efc766a66d1db9e29e2b256a97
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf