Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2024 17:33

General

  • Target

    2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe

  • Size

    147KB

  • MD5

    66b3e535355102fd0cede6506739e474

  • SHA1

    5a20c4d8bbb2495c817c92cfa060a6a235e6ed36

  • SHA256

    9b3cd385077933c2a72cba58d23dcde77852818c3ce1a361baa5c6bbd915b82f

  • SHA512

    f11bd1ed1f2f601ed5db353ff2f85982b3218e3a60f6d58c8f5f5a23df7560fce8fd67da37fe7ef6bc31de2883eb17c2389a1195820968562740a0e46c1569e6

  • SSDEEP

    3072:T6glyuxE4GsUPnliByocWepjUeRBGYENO6g:T6gDBGpvEByocWexUeR0Y2N

Malware Config

Extracted

Path

C:\NupqqeiS5.README.txt

Ransom Note
What happens? Your network is encrypted, and currently not operational. e need only money, after payment we wil1 give you a decryptor for the entire network and you wil1 restore al1 the data. >>>> What data stolen? From your network was stolen sensitive data. If you do not contact us we wil1 publish al1 your data in our blog and wil1 send it to the biggest mass media. >>>>What guarantees?We are not a politically motivated group and we do not need anything otherthan your money.If you pay, we will provide you the programs for decryption and we will delete your data.If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goalsWe always keep our promises. >>>>Pay ransom amount contact Email:[email protected] >>>>Payment cryptocurrency address USDT-TRC20 >>>>TTpEpsPpRH5KSWyqfK1KEvsrJSYKcjbxJ9 >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs Warning! Recovery recormnendations. We strongly recommend you to do not MODIFY or REPAIR your files, that wil1 damage them
Emails

Signatures

  • Renames multiple (329) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\ProgramData\93C7.tmp
      "C:\ProgramData\93C7.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\93C7.tmp >> NUL
        3⤵
          PID:2300
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x154
      1⤵
        PID:1588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

        Filesize

        129B

        MD5

        5b8bfc098813cddf9d7312fc296ecd0d

        SHA1

        503a450b3cd5ba3ff097caa9321b6a802dc1766d

        SHA256

        b5a57ad3dd2deeba4b74508c7ca1ba5f3cb30af77074e1153d212987192f812e

        SHA512

        26d95876f134b091533b165af8d89abfa1ff51da73e06d30ab59ac32bd002bdd26ac45b6fe7b4447eaf7802fc8e246c8cddab860a4842006f7b05150a3b8b99f

      • C:\NupqqeiS5.README.txt

        Filesize

        1KB

        MD5

        fb07c785132ffb451b7865b5f8be8793

        SHA1

        6ef563addf7aa1bc0a99b70a621bd7ba430a9412

        SHA256

        369475944802faa69d76362094571070a549f9153e29cf5d54e5fd34e36ca0bd

        SHA512

        92f1dadc9de8a3dd1aee9b5310b66ca9d98b26e587cf298e8967995fb2974a842c57e4c1d3458575a1890997cb62151ebbfce679c520f9868ec2d6ffa022f8fc

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        147KB

        MD5

        0ac760eb9419f5001c93c95015e08d96

        SHA1

        5f117ad05fbd7dac06dd979cce7ed7d559981dc5

        SHA256

        144c21c3975cd13d5888f316f074a082af4556373cb90556f031dddc294056cc

        SHA512

        13d660b3f5ad4ab143cd10d93cdcbb8c3608cedbff2f9ef716db112d3aa32ebced57063f3c88dd5ef59e58826ef50f9fbb39dee9c628ceb84b228d8498e94025

      • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\GGGGGGGGGGG

        Filesize

        129B

        MD5

        58c95e73a02df8cfe7d7741f5e1cf751

        SHA1

        c33200ec051bbc3e044409f39ae9ec55a95887a3

        SHA256

        3048571e5ca3aa8b573b43eb404a45a0e465dc7342ee8340858d102a02523026

        SHA512

        80f0d0ff97db6e5b72fae648935974154169ebfca516510faeea90ce4a0132d35bdfe315101ca7a48a0d27048124e47509978001769b36b552719926a74c32d5

      • \ProgramData\93C7.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/2020-0-0x0000000000350000-0x0000000000390000-memory.dmp

        Filesize

        256KB

      • memory/2468-848-0x0000000002410000-0x0000000002450000-memory.dmp

        Filesize

        256KB

      • memory/2468-857-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/2468-859-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/2468-860-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/2468-846-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/2468-880-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/2468-881-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/2468-882-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB