Overview

overview

10

Static

static

10

2024-02-23...de.exe

windows7-x64

10

2024-02-23...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe

  • Size

    146KB

  • MD5

    951a7673b6ad24bfcbf086db0873c7f4

  • SHA1

    67275f726f320df71bbeed04804571cf9e73eb42

  • SHA256

    a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0

  • SHA512

    3b358dd9eb8fa2d18fd436351f21d33dfe5e30057edd9df2e242b1520b447c5efcaa964cb6a8024ed2cff6ff6e60c1f751efc1c9fd8e430352e960d820f6ad36

  • SSDEEP

    1536:izICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDstorzC23uqOKqpGX+1KBh+QHzT:hqJogYkcSNm9V7D1O9FpN12h+QTT

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\2zAdN8qob.README.txt

Ransom Note
~~~ Unlock your files! ~~ Hello, we hacked your PC and encrypted all your files. BUT!!! Fear not, you can decrypt your files and recover everything very easy, You just need to pay a smaill ammount. this is just bussiness. You pay the ransom, we give you the file to decrypt your files, and we move on. We won't attack you again, or talk to anyone about this. Send an email to [email protected] or [email protected] and talk to us. You would need to buy XMR (Monero) to make the payment, it's very easy. or follow an online guide, ask us in the email if you need help. >>>> >>>> Your personal DECRYPTION ID: 27A6097BD4987E4AE6BA315A2B3B52A2 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

Signatures

  • Renames multiple (311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\ProgramData\61BF.tmp
      "C:\ProgramData\61BF.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61BF.tmp >> NUL
        3⤵
          PID:2776
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x154
      1⤵
        PID:1584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini
        Filesize

        129B

        MD5

        e77d37b790e6a4c2e55fec4f46d5c8c1

        SHA1

        27ec916543e1dc85f1ba86faa96d927d008d5b96

        SHA256

        1d3db89070d0a40177a107940b78c36de5b82caab7bba1d4f0b1bf6674e39df4

        SHA512

        1cff47b22998e04c6e778b0c84161e1d5e012aa30c8a07be4442471d601beb460820f46ef93b05f07d3130d432228f5d401c5f58cbac09181ca9add8f9bb3517

        Download Submit

      • C:\2zAdN8qob.README.txt
        Filesize

        989B

        MD5

        5ddb821b9f16c355689466bbf403c709

        SHA1

        0af9cd9d9dbd3745f0dcd64f07aac19c749884a7

        SHA256

        c3a9f3fd8c57ecc6361b705409279b96b228de99ef056e0dc9b51819746bc8d6

        SHA512

        1da4c9268eba6a19fc136e5d3feb670a8c213f9382c5a202ed4af894da0e2d60e8540aec2785de93428046a39bf6128df36ff8cab8dca30fae693d4beab44c1a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        146KB

        MD5

        76f22172160f0960caa3fe841a3183aa

        SHA1

        c730070e40110c58af0453194327c6712740f1b7

        SHA256

        84f040d08fbe8ec75899bf49f980d295767fa606b59bfbde2b4a1217b8db6c41

        SHA512

        60539e8252042b4c1e5823e1a71c3124a0f6b39c5d6c582ef2a5d712d9117a699ed1f264205d72468622963ccab3a8a8c4b99d10fca0c7017762267eac512240

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        d953149cebe7b051c1dae623b8db160e

        SHA1

        e6708fed7fbd56dcfb90d639332ed80ee7706b94

        SHA256

        16b6b8dc20f795bef8ccee48ab24685cb69bb2ed2467d89ad7dca2681ffef1c8

        SHA512

        be7f8a24f99f283fc3256558302c1efcdd2897d9addf36001b658d3b4edf74c453d751ce99a019b9fb62e88f4600bf1e17fdccb9ebcdd8aea9daca86a418fb51

        Download Submit

      • \ProgramData\61BF.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/768-837-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-838-0x0000000000250000-0x0000000000290000-memory.dmp

        Filesize

        256KB

        Download

      • memory/768-839-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-840-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-870-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-869-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2212-0-0x00000000001C0000-0x0000000000200000-memory.dmp

        Filesize

        256KB

        Download