Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 12:27

General

  • Target

    2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe

  • Size

    156KB

  • MD5

    cc780bb339c7952570528b864770a0c0

  • SHA1

    9bb86df4fcf1d358fb5e9ff372c3b8df3548ad9e

  • SHA256

    ed4483944564f5934b6cb725f2f5055a9da1e243ebd6fe49742e460e867dff41

  • SHA512

    38946eb28c717e25cfe58ccc7b0515ac2adba498124bf9eb45b45cafc7015034dacaee3878f3ff5fe53da0b24ec630a3088e975175a8f989ce9738c46b96986c

  • SSDEEP

    3072:9DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33683TvtDvbvizOmpnW:f5d/zugZqll3vl6OG

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\ProgramData\DC3B.tmp
      "C:\ProgramData\DC3B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DC3B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1644
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2604
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini

      Filesize

      129B

      MD5

      e1118b84cbe1fc36230467c1cf8550c1

      SHA1

      6203f979fe5ee3e720b26a4e68482cfa73182065

      SHA256

      c69579eb1f00f2b0cc25f5b62f33d808873f36bf7d3cc6827bfb731f43affb71

      SHA512

      fa24dda3bf9492c36c02657cbe93db94ba3ed6ef02c6eefc3a0de944c408559cbe40d450db005e62ad393b71f4ee1a59b38e488552f03167fd26b1b059ae3cdc

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      156KB

      MD5

      0242dc4209d0d258f4f452b70058532b

      SHA1

      e17305fbc8a3e4a14cfefb7ee878ebc5672c2867

      SHA256

      970a1a407c4b40c23140b9db077fa86b8e5560c1542ee01ec0a1742f0cdfbb52

      SHA512

      7043279bc7f13e4dc04735b41b81cbbabcf3acfe533dee3748506d45490eb1dae90c15f01920a5bf8555a235911d11b571a5430927aca7ce0815c006d7acebf8

    • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      eadc84af39f4981e31bc35ce9ffad7e5

      SHA1

      9658988c538fec44a65b9d3b6e6434fa13c6888b

      SHA256

      298d337f49bc0384b5c4527b2ceb94a98daf2a27dcae0c9e8cd8f1cfa1726f28

      SHA512

      16bed5dbce55a6fcfb88382ac3adf347d53749fd6167dce3342ddc68492716d5b56ba7cb9922dabc3e517e44a4086f48a84a791e2852111f2aa8368e548f3f96

    • \ProgramData\DC3B.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/1352-88-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

    • memory/1352-92-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1352-91-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1352-89-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1352-121-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1352-124-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1480-0-0x0000000002240000-0x0000000002280000-memory.dmp

      Filesize

      256KB