Malware Analysis Report

2025-08-05 17:08

Sample ID 230331-v3jpmsdd4t
Target Ransomware.Win64.Darkpower.zip
SHA256 9a18fdec476ae659ae5d79a06c9fdf7f0a36e685430a9bc2b59418604bf785ad
Tags
ransomware spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9a18fdec476ae659ae5d79a06c9fdf7f0a36e685430a9bc2b59418604bf785ad

Threat Level: Likely malicious

The file Ransomware.Win64.Darkpower.zip was found to be: Likely malicious.

Malicious Activity Summary

ransomware spyware stealer

Modifies extensions of user files

Deletes itself

Reads user/profile data of web browsers

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-31 17:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-31 17:30

Reported

2023-03-31 17:32

Platform

win7-20230220-en

Max time kernel

83s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\WriteSubmit.tiff C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\WriteSubmit.tiff => C:\Users\Admin\Pictures\WriteSubmit.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\InstallUnprotect.png => C:\Users\Admin\Pictures\InstallUnprotect.png.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\DenyProtect.png => C:\Users\Admin\Pictures\DenyProtect.png.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\OpenConnect.raw => C:\Users\Admin\Pictures\OpenConnect.raw.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\StepEdit.tif => C:\Users\Admin\Pictures\StepEdit.tif.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockOut.raw => C:\Users\Admin\Pictures\UnblockOut.raw.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\StartSet.raw => C:\Users\Admin\Pictures\StartSet.raw.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe

"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x520

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"

Network

N/A

Files

memory/1092-54-0x000000013FA50000-0x000000013FB7F000-memory.dmp

C:\Users\Public\Libraries\readme.pdf

MD5 e7a1ded35fa8603ad2d8ea413ed70822
SHA1 8e51bc110584663dc297af70b76173b9a05bb39e
SHA256 c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28
SHA512 e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4

memory/1092-376-0x000000013FA50000-0x000000013FB7F000-memory.dmp

memory/1092-381-0x000000013FA50000-0x000000013FB7F000-memory.dmp

C:\Users\Admin\Desktop\readme.pdf

MD5 e7a1ded35fa8603ad2d8ea413ed70822
SHA1 8e51bc110584663dc297af70b76173b9a05bb39e
SHA256 c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28
SHA512 e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-31 17:30

Reported

2023-03-31 17:34

Platform

win10v2004-20230221-en

Max time kernel

169s

Max time network

205s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExportRepair.png => C:\Users\Admin\Pictures\ExportRepair.png.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A
File renamed C:\Users\Admin\Pictures\DebugClose.tif => C:\Users\Admin\Pictures\DebugClose.tif.dark_power C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe N/A

Reads user/profile data of web browsers

spyware stealer

Processes

C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe

"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 20.189.173.4:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 93.184.221.240:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 133.17.126.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/1636-133-0x00007FF792200000-0x00007FF79232F000-memory.dmp

memory/1636-134-0x00007FF792200000-0x00007FF79232F000-memory.dmp

memory/1636-135-0x00007FF792200000-0x00007FF79232F000-memory.dmp

C:\Users\Admin\Favorites\readme.pdf

MD5 e7a1ded35fa8603ad2d8ea413ed70822
SHA1 8e51bc110584663dc297af70b76173b9a05bb39e
SHA256 c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28
SHA512 e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4

memory/1636-207-0x00007FF792200000-0x00007FF79232F000-memory.dmp

memory/1636-247-0x00007FF792200000-0x00007FF79232F000-memory.dmp

memory/1636-310-0x00007FF792200000-0x00007FF79232F000-memory.dmp

memory/1636-367-0x00007FF792200000-0x00007FF79232F000-memory.dmp

memory/1636-392-0x00007FF792200000-0x00007FF79232F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-31 17:30

Reported

2023-03-31 17:33

Platform

win7-20230220-en

Max time kernel

44s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\BlockImport.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\MoveRepair.png => C:\Users\Admin\Pictures\MoveRepair.png.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\SkipDisable.tiff => C:\Users\Admin\Pictures\SkipDisable.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\SearchMount.tif => C:\Users\Admin\Pictures\SearchMount.tif.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\BlockSearch.tif => C:\Users\Admin\Pictures\BlockSearch.tif.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\ConfirmSend.raw => C:\Users\Admin\Pictures\ConfirmSend.raw.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipDisable.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectSave.crw => C:\Users\Admin\Pictures\ConnectSave.crw.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe

"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

N/A

Files

memory/1744-54-0x000000013F880000-0x000000013F97C000-memory.dmp

C:\Users\Public\Libraries\readme.pdf

MD5 ea36e01b49cf28d5983a9a0248832906
SHA1 a9aa07e277a1ad65b0b57f7336f391bc81a7cc84
SHA256 086dbf48629378a584486e69147777562f0a7f2acab56ab998ce2f3846b43e2e
SHA512 33050edf8b47acc269078a99080314baab74e2342c6b33e5ef46db5bbadb0dc86459b0e4be6c07be9fd99991b1bfcf1bec879834acb227cdfbeda041a92441f1

memory/1744-382-0x000000013F880000-0x000000013F97C000-memory.dmp

memory/1744-386-0x000000013F880000-0x000000013F97C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-03-31 17:30

Reported

2023-03-31 17:33

Platform

win10v2004-20230220-en

Max time kernel

61s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnlockNew.tif => C:\Users\Admin\Pictures\UnlockNew.tif.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\DisconnectBackup.tif => C:\Users\Admin\Pictures\DisconnectBackup.tif.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\PingTest.tiff => C:\Users\Admin\Pictures\PingTest.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\StopConvert.crw => C:\Users\Admin\Pictures\StopConvert.crw.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\SaveOptimize.tiff => C:\Users\Admin\Pictures\SaveOptimize.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishConfirm.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File opened for modification C:\Users\Admin\Pictures\OptimizePop.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\OptimizePop.tiff => C:\Users\Admin\Pictures\OptimizePop.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File opened for modification C:\Users\Admin\Pictures\PingTest.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File opened for modification C:\Users\Admin\Pictures\SaveOptimize.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishConfirm.tiff => C:\Users\Admin\Pictures\UnpublishConfirm.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File opened for modification C:\Users\Admin\Pictures\CopyUpdate.tiff C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A
File renamed C:\Users\Admin\Pictures\CopyUpdate.tiff => C:\Users\Admin\Pictures\CopyUpdate.tiff.dark_power C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe

"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
DE 193.233.20.36:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.189.173.1:443 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp

Files

memory/4228-133-0x00007FF7EA350000-0x00007FF7EA44C000-memory.dmp

C:\Users\Admin\Favorites\readme.pdf

MD5 ea36e01b49cf28d5983a9a0248832906
SHA1 a9aa07e277a1ad65b0b57f7336f391bc81a7cc84
SHA256 086dbf48629378a584486e69147777562f0a7f2acab56ab998ce2f3846b43e2e
SHA512 33050edf8b47acc269078a99080314baab74e2342c6b33e5ef46db5bbadb0dc86459b0e4be6c07be9fd99991b1bfcf1bec879834acb227cdfbeda041a92441f1

memory/4228-400-0x00007FF7EA350000-0x00007FF7EA44C000-memory.dmp

memory/4228-441-0x00007FF7EA350000-0x00007FF7EA44C000-memory.dmp