Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 03:57
Behavioral task
behavioral1
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
-
Size
147KB
-
MD5
43341d5a1d976b348d42ad9c0f9c605d
-
SHA1
fe704f8a65f572217bcfe147057dc57adf4476f0
-
SHA256
7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86
-
SHA512
c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23
-
SSDEEP
3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26
Malware Config
Extracted
C:\4i9YfYWBr.README.txt
Signatures
-
Renames multiple (355) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2012 39E5.tmp -
Executes dropped EXE 1 IoCs
pid Process 2012 39E5.tmp -
Loads dropped DLL 1 IoCs
pid Process 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2012 39E5.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39E5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon\ = "C:\\ProgramData\\4i9YfYWBr.ico" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr\ = "4i9YfYWBr" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp 2012 39E5.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 36 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeImpersonatePrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncBasePriorityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncreaseQuotaPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 33 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeManageVolumePrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeProfSingleProcessPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeRestorePrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSystemProfilePrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeTakeOwnershipPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeShutdownPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2012 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 32 PID 2524 wrote to memory of 2012 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 32 PID 2524 wrote to memory of 2012 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 32 PID 2524 wrote to memory of 2012 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 32 PID 2524 wrote to memory of 2012 2524 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 32 PID 2012 wrote to memory of 2204 2012 39E5.tmp 33 PID 2012 wrote to memory of 2204 2012 39E5.tmp 33 PID 2012 wrote to memory of 2204 2012 39E5.tmp 33 PID 2012 wrote to memory of 2204 2012 39E5.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\ProgramData\39E5.tmp"C:\ProgramData\39E5.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\39E5.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2204
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5de08721dddb6ccb0ac2d4787d06a90db
SHA123b07f20e0ad140aaed788d073af2bb1ec6d9bb6
SHA256bdf9e20dce97383b8b199027f934eb64c3a35b9355691ba98310908b30136a98
SHA51212eb6e4fe4c5c8e38f9ec85c84e4d2826f5ab821b82390a0b47eaecf5aece9d18a88a8f2c8de5051f9a06d58a2f22871879457fa9726b47227811676ee244fa6
-
Filesize
1KB
MD53ada01b616e140ae59cdaad69674a811
SHA1704f23db0249fee5710e542e34c49a69f88ca8f1
SHA256aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2
SHA51226061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4
-
Filesize
147KB
MD57599b76338846f6b743efa245b536fa1
SHA1f0cafdda111e6f00758582a505c87c7552aa51d4
SHA256f470c69486bf60a43ca24e86a3139c3b9cfd689635125fec203452a77c6fec3b
SHA512a7893832358143eb9628f6ebca43db1a42381bf4da83591fd691926076e83e4a596a982af3f51d3b0265989ae810241e2a68b53a0860bc3a8d015428856c55e5
-
Filesize
129B
MD5df5cfc1fcf0dfc76d37a6b0369b57d53
SHA12117b4cef6e04dbe4550895a5611c9b823b84d44
SHA25616b09f0b09e8c90ede9edad51c0e509b2203d559faa66f369767c7e254ca7667
SHA512afdca962eb58d61079d45fbf92c75c75c2baedf9ef075bf6b38c231c2842bb34fda37af4b5d36d73399ad8f36fee5784aaf1deeb6603fadba099e5eb10df7b06
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf