Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 12:27
Behavioral task
behavioral1
Sample
2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
-
Size
156KB
-
MD5
cc780bb339c7952570528b864770a0c0
-
SHA1
9bb86df4fcf1d358fb5e9ff372c3b8df3548ad9e
-
SHA256
ed4483944564f5934b6cb725f2f5055a9da1e243ebd6fe49742e460e867dff41
-
SHA512
38946eb28c717e25cfe58ccc7b0515ac2adba498124bf9eb45b45cafc7015034dacaee3878f3ff5fe53da0b24ec630a3088e975175a8f989ce9738c46b96986c
-
SSDEEP
3072:9DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33683TvtDvbvizOmpnW:f5d/zugZqll3vl6OG
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1352 DC3B.tmp -
Executes dropped EXE 1 IoCs
pid Process 1352 DC3B.tmp -
Loads dropped DLL 1 IoCs
pid Process 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DC3B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp 1352 DC3B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeDebugPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: 36 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeImpersonatePrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeIncBasePriorityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeIncreaseQuotaPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: 33 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeManageVolumePrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeProfSingleProcessPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeRestorePrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSystemProfilePrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeTakeOwnershipPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeShutdownPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeDebugPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 2604 vssvc.exe Token: SeRestorePrivilege 2604 vssvc.exe Token: SeAuditPrivilege 2604 vssvc.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1480 wrote to memory of 1352 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 34 PID 1480 wrote to memory of 1352 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 34 PID 1480 wrote to memory of 1352 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 34 PID 1480 wrote to memory of 1352 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 34 PID 1480 wrote to memory of 1352 1480 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 34 PID 1352 wrote to memory of 1644 1352 DC3B.tmp 37 PID 1352 wrote to memory of 1644 1352 DC3B.tmp 37 PID 1352 wrote to memory of 1644 1352 DC3B.tmp 37 PID 1352 wrote to memory of 1644 1352 DC3B.tmp 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\ProgramData\DC3B.tmp"C:\ProgramData\DC3B.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DC3B.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e1118b84cbe1fc36230467c1cf8550c1
SHA16203f979fe5ee3e720b26a4e68482cfa73182065
SHA256c69579eb1f00f2b0cc25f5b62f33d808873f36bf7d3cc6827bfb731f43affb71
SHA512fa24dda3bf9492c36c02657cbe93db94ba3ed6ef02c6eefc3a0de944c408559cbe40d450db005e62ad393b71f4ee1a59b38e488552f03167fd26b1b059ae3cdc
-
Filesize
156KB
MD50242dc4209d0d258f4f452b70058532b
SHA1e17305fbc8a3e4a14cfefb7ee878ebc5672c2867
SHA256970a1a407c4b40c23140b9db077fa86b8e5560c1542ee01ec0a1742f0cdfbb52
SHA5127043279bc7f13e4dc04735b41b81cbbabcf3acfe533dee3748506d45490eb1dae90c15f01920a5bf8555a235911d11b571a5430927aca7ce0815c006d7acebf8
-
Filesize
129B
MD5eadc84af39f4981e31bc35ce9ffad7e5
SHA19658988c538fec44a65b9d3b6e6434fa13c6888b
SHA256298d337f49bc0384b5c4527b2ceb94a98daf2a27dcae0c9e8cd8f1cfa1726f28
SHA51216bed5dbce55a6fcfb88382ac3adf347d53749fd6167dce3342ddc68492716d5b56ba7cb9922dabc3e517e44a4086f48a84a791e2852111f2aa8368e548f3f96
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf