Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 04:02
Behavioral task
behavioral1
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
-
Size
147KB
-
MD5
43341d5a1d976b348d42ad9c0f9c605d
-
SHA1
fe704f8a65f572217bcfe147057dc57adf4476f0
-
SHA256
7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86
-
SHA512
c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23
-
SSDEEP
3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26
Malware Config
Extracted
C:\4i9YfYWBr.README.txt
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1860 DB9F.tmp -
Executes dropped EXE 1 IoCs
pid Process 1860 DB9F.tmp -
Loads dropped DLL 1 IoCs
pid Process 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1860 DB9F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DB9F.tmp -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon\ = "C:\\ProgramData\\4i9YfYWBr.ico" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr\ = "4i9YfYWBr" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp 1860 DB9F.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 36 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeImpersonatePrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncBasePriorityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncreaseQuotaPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 33 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeManageVolumePrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeProfSingleProcessPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeRestorePrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSystemProfilePrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeTakeOwnershipPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeShutdownPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1860 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 33 PID 2236 wrote to memory of 1860 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 33 PID 2236 wrote to memory of 1860 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 33 PID 2236 wrote to memory of 1860 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 33 PID 2236 wrote to memory of 1860 2236 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 33 PID 1860 wrote to memory of 2084 1860 DB9F.tmp 34 PID 1860 wrote to memory of 2084 1860 DB9F.tmp 34 PID 1860 wrote to memory of 2084 1860 DB9F.tmp 34 PID 1860 wrote to memory of 2084 1860 DB9F.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\ProgramData\DB9F.tmp"C:\ProgramData\DB9F.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB9F.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD56793277d7afa6aa48e25e82db44e0740
SHA1ecd2fe72e693c5c4212d794c098e7028202ae12c
SHA256d98ea5afb42a41f8444db697b18734c4416eede30dd6358e42fefe1d03ce7df4
SHA512bb8d5e45fd41eaa5e5c85bd8885363797c389a6aba934ec26b5b61c3ba3ab67d7b9c4dfdbf159db79a4d40d3a3ef4bcef63f097b5b90f3cdab5b4e9c35c0ca37
-
Filesize
1KB
MD53ada01b616e140ae59cdaad69674a811
SHA1704f23db0249fee5710e542e34c49a69f88ca8f1
SHA256aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2
SHA51226061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4
-
Filesize
147KB
MD58d3ac42ce4d601a6064bd8f9a62ccd32
SHA16017ed7d892d3529e866b6461156c08a787829f5
SHA25686d1e626eb4ca91324361ed7b1a054c1f27747199e49bf50b118373ce20dd02e
SHA5122ac09908441bcf90519d22f4dabcac03b408e56abbc9c4d05b8e16c3645f18bed97d07903764a0123ffb2484b3875c2b61e3643bb1000b25a02c89b6d0566dba
-
Filesize
129B
MD5e14b82f534405e030ec5dfc755daddd1
SHA1e80931896c227ebc63dbbacffbb0e5e4e1352b5b
SHA256822d32b69830bb46c6642b40a71a4ab2f3edd25c9ededb849b43bcbdbf103e4a
SHA5123b10084c12b51bc42dfcc1d562b1f426d5c1e3f433fba3d31871658b468f0e88c9238b9f87abf18f048a96f99686164319cbabfb472c6d2bc871683d5ade54e2
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf