Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2024 12:23

General

  • Target

    2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe

  • Size

    147KB

  • MD5

    2dadaf10d507b44e7b561405d9227bc2

  • SHA1

    5406d642422ca05857447ad82979d6d44c326834

  • SHA256

    6dd44d852226fd9e7fc914c6edbaf185bfcaacdc7a4dcdb7268440e6fc811618

  • SHA512

    0cbd90e6bc68e1052ecc22f90c9e3fbfccc796029e7ef9258f4d5f1b29dfe26c0a0f799b5a406a097c32e1beb27e3c1fdbd65ca67615d1e37f265874ddac2f11

  • SSDEEP

    3072:G6glyuxE4GsUPnliByocWepHLamgTCsUd3Mh:G6gDBGpvEByocWeFLamg+NM

Malware Config

Extracted

Path

C:\G3fEAZsSH.README.txt

Ransom Note
What happens? Your network is encrypted, and currently not operational. e need only money, after payment we wil1 give you a decryptor for the entire network and you wil1 restore al1 the data. >>>> What data stolen? From your network was stolen sensitive data. If you do not contact us we wil1 publish al1 your data in our blog and wil1 send it to the biggest mass media. >>>>What guarantees?We are not a politically motivated group and we do not need anything otherthan your money.If you pay, we will provide you the programs for decryption and we will delete your data.If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goalsWe always keep our promises. >>>>Pay ransom amount contact Email:[email protected] >>>>Payment cryptocurrency address USDT-TRC20 >>>>TN1euwn8NPBcq9ieJvA2roo56eoifCHLZv >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs Warning! Recovery recormnendations. We strongly recommend you to do not MODIFY or REPAIR your files, that wil1 damage them
Emails

Signatures

  • Renames multiple (348) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\ProgramData\CC83.tmp
      "C:\ProgramData\CC83.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC83.tmp >> NUL
        3⤵
          PID:1948
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x154
      1⤵
        PID:1708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini

        Filesize

        129B

        MD5

        ba71b40da11cc3ebeebd5b611acc7ff1

        SHA1

        399a7221270a4e8677ff8a7e6dcf934a5de46d1a

        SHA256

        ece17e575a0d1c1b5747b4a44d87b47b254c52eda699db70a5602156e89a0f9a

        SHA512

        bf65b44c0283d79678e63998877f76476657e10fef9a7471201eda7dd595074371acecabdb8fef36a52c018fb3af9f71938def7442c46d08dfa55f3abb4e44e3

      • C:\G3fEAZsSH.README.txt

        Filesize

        1KB

        MD5

        c27b4229efac6671942d30719e33225d

        SHA1

        dfc06ec8ae7e1047aedc4e9f8f0c9e83ad69c507

        SHA256

        ccb3796c65736cbb0e28cedc370b210f27dff6877cfb8cec85e75f151b48b630

        SHA512

        5cf85171e683a5982930b047dbfe3278d896b2f146863668620a990003e3467313006fc3e7a139d84f02537a11b42571b7dc958465df8b8caad2091174f992a0

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        147KB

        MD5

        f5136a84e0a9db7d29d498e4b6e64703

        SHA1

        78f8f6d8bf46d0b645c3f921a08ec77cd7a3093a

        SHA256

        2f925c0c719b010b7fd664c38da1881219c8ba1ab05ae800c4bf95253e864761

        SHA512

        552298994e6738e02a798c725a6e630b91bb7b8983210417d6c336e0bf54093da18588f8501a4c402971b4aa7aac6017530b2b5b788786853bc5fc8fcfca32d1

      • F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\PPPPPPPPPPP

        Filesize

        129B

        MD5

        cc3a9142ca5235eb0f346e41857971a7

        SHA1

        45bc87b30bcde054e3c2564d4efdb49e235e4f01

        SHA256

        34193d45fc08159f577231235e09a9ccd3aae221875f9fdd186529d15cd7a8cf

        SHA512

        10becb2cd70305dea3d121cb1ab4b4efe332d3827cce60fbbfb06bfd675bc762bb9ce4ee20675147411edcd2f8b380133c3b70a40ae12d9e37d20e7940e86b3e

      • \ProgramData\CC83.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1544-868-0x0000000002080000-0x00000000020C0000-memory.dmp

        Filesize

        256KB

      • memory/1544-871-0x0000000002080000-0x00000000020C0000-memory.dmp

        Filesize

        256KB

      • memory/1544-873-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1544-874-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1544-866-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1544-899-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/1544-900-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/2224-0-0x0000000000380000-0x00000000003C0000-memory.dmp

        Filesize

        256KB