Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 12:27
Behavioral task
behavioral1
Sample
2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe
-
Size
156KB
-
MD5
cc780bb339c7952570528b864770a0c0
-
SHA1
9bb86df4fcf1d358fb5e9ff372c3b8df3548ad9e
-
SHA256
ed4483944564f5934b6cb725f2f5055a9da1e243ebd6fe49742e460e867dff41
-
SHA512
38946eb28c717e25cfe58ccc7b0515ac2adba498124bf9eb45b45cafc7015034dacaee3878f3ff5fe53da0b24ec630a3088e975175a8f989ce9738c46b96986c
-
SSDEEP
3072:9DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33683TvtDvbvizOmpnW:f5d/zugZqll3vl6OG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation CB2F.tmp -
Deletes itself 1 IoCs
pid Process 3520 CB2F.tmp -
Executes dropped EXE 1 IoCs
pid Process 3520 CB2F.tmp -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CB2F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp 3520 CB2F.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeDebugPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: 36 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeImpersonatePrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeIncBasePriorityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeIncreaseQuotaPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: 33 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeManageVolumePrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeProfSingleProcessPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeRestorePrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSystemProfilePrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeTakeOwnershipPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeShutdownPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeDebugPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 1656 vssvc.exe Token: SeRestorePrivilege 1656 vssvc.exe Token: SeAuditPrivilege 1656 vssvc.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeSecurityPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe Token: SeBackupPrivilege 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3332 wrote to memory of 3520 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 86 PID 3332 wrote to memory of 3520 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 86 PID 3332 wrote to memory of 3520 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 86 PID 3332 wrote to memory of 3520 3332 2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe 86 PID 3520 wrote to memory of 4572 3520 CB2F.tmp 100 PID 3520 wrote to memory of 4572 3520 CB2F.tmp 100 PID 3520 wrote to memory of 4572 3520 CB2F.tmp 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-22_cc780bb339c7952570528b864770a0c0_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\ProgramData\CB2F.tmp"C:\ProgramData\CB2F.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CB2F.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4572
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e56278f17ed8e8d3d1b9c29abe3d89aa
SHA1bd066678197957d4c68ef9f0684306b3d486c50b
SHA256560bacf10e30f4d1de4d81248b845bf19dcf68e8503d0996598e87e756c44efe
SHA512ab1e236cab2998676a6aca9af084937fc7777e2f04f2777b896d335b58ba601e36cc930bbb42d811f6de032e251044184c425ecea8e0e476ba5729a76466ed06
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
156KB
MD550aca7e787cf0b3b59219478e3855fb1
SHA1e81004d34e489eac4622b001be217c8593033d7c
SHA2564f11baddcc844e13f4e846bf7a6ab94c9daa2244c2f300fdee0f52416284c28f
SHA5122d3daa8a06f136f5b86e4a1aebf3536d4ed77cb5264790bcb223a6db0cf0d9c23a910c33b42f4517a79f9d3291c10c6192e3d5cea6663a8e865a2031709b96fc
-
Filesize
129B
MD5281d1b65cdd28f1d2e5c5a2914688545
SHA1f628c2e0ae9415218a1a230092266f163a85bc44
SHA256dc1e15a1c87abb8fbb5691db8ff5771f53ef73c35cde0237c0ce5ef9820a9ce2
SHA5128e2878dd1e2c8c7ff1f78f9ea173a8e7b832e7aee66f1a3288044971b03e42a01dd51f6fe7b980e193d60c00614bad36c1d4f387ef34fe46385cf68f351afcff