Overview

overview

10

Static

static

10

2024-04-26...de.exe

windows7-x64

9

2024-04-26...de.exe

windows10-2004-x64

9

Resubmissions

29/04/2024, 16:10

240429-tmdysaeg49 10

26/04/2024, 11:49

240426-ny1zssfh37 10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe

  • Size

    194KB

  • MD5

    6fd558cf3add096970e15d1e62ca1957

  • SHA1

    78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23

  • SHA256

    41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898

  • SHA512

    fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc

  • SSDEEP

    3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (619) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-26_6fd558cf3add096970e15d1e62ca1957_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1852
    • C:\ProgramData\734C.tmp
      "C:\ProgramData\734C.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\734C.tmp >> NUL
        3⤵
          PID:2800
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3400
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CD993C9B-7C26-4550-85FA-026FBE6E58D5}.xps" 133588806308040000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:2000
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AAtvmKv4L.README.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:5584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-17203666-93769886-2545153620-1000\AAAAAAAAAAA
        Filesize

        129B

        MD5

        d2ef31ee0d74dfcfc71f20b0d3a48543

        SHA1

        5498816e490e6c40eba13d9b457450166f168f48

        SHA256

        a80507338540f57d279c3af0b2608ee27645e25588eed70cd6e61fd43529e23c

        SHA512

        b070f94e56adc13cc14a910d7c4465ee5e9b49c56d8f6ff979888d6a259b2a386a603f1f4d2c390ace64d6e817e6987dfce21bdaf2a28db1dbf3079a1cb9a366

        Download Submit

      • C:\AAtvmKv4L.README.txt
        Filesize

        434B

        MD5

        b4709a56b9d7f431da172316cda720be

        SHA1

        d2132f7129a7003ec4c0392f0f08cd24ea353da6

        SHA256

        192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

        SHA512

        e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

        Download Submit

      • C:\ProgramData\734C.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        194KB

        MD5

        ce1ef2486e772198e65bf84e9f5ac34e

        SHA1

        42eacc0fb0bab61915632fb3730286d4b8c4bca6

        SHA256

        abd37ed6c70e394adf4ae5949062a2339aa31d2a6bb80511ba75db930db43598

        SHA512

        d409ae2452664498b82f8ae6ecd03a773abdc2842d670fd48029b4014785691b30c28929a992929e11109c007cfb02d2c898706a68e355e4649e52722afc3789

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{41352836-1672-4A7A-9C70-E097774D7EDE}
        Filesize

        4KB

        MD5

        d7dea5272b3b7f238bc91a409107f416

        SHA1

        51fdfd8b8a6f750ab844d0383ed974da68da7fe4

        SHA256

        293c2683db50fa9ac67c296cafc9321b27e934118ed2fe0c2aa293fd5a81a305

        SHA512

        4050233911d6661d364419286dbf7d1fea1fa808729579847fc51c2f1bbc38fefeff3bb75bec4fd575000431c437d52dab56e30bdcb3cbe78380c20b7f1e0b58

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        3b4b6ce6a2bf22746e7e80f8cbb03153

        SHA1

        5a60a0e1722b6decfef1df3935c98496890205d2

        SHA256

        e2625cbec627cf5067a147652b60eb5aa89289c039b364614b109585076081db

        SHA512

        3278c053054b3a235770a96908688f991e76e8093736a218cc9e7c080347be5336af3b495093207c640c5949cdf4f5164ce19aa593caac11f0b421489b14ed6e

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-17203666-93769886-2545153620-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        186626d0393e70b5b36140c8a523354f

        SHA1

        face32e1bc4050758836ea16ff258686cfb887a4

        SHA256

        6fb18bb09e23c66e70dcc033863bdcd1079e07faa2b848b03e1d56772bbc8bd2

        SHA512

        1e6012ffb822a09787d07389338ebe91b4e4f93dd7afeb25740ac5768759e789c2f264f8ee3093bb4fdb49154a308bded2e7a10f585e202e6a190064f21c764e

        Download Submit

      • memory/2000-2840-0x00007FF840950000-0x00007FF840960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2841-0x00007FF840950000-0x00007FF840960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2808-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2807-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2806-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2869-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2810-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2811-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2870-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2868-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2000-2867-0x00007FF842AB0000-0x00007FF842AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3644-1-0x0000000002D30000-0x0000000002D40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3644-0-0x0000000002D30000-0x0000000002D40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3644-2-0x0000000002D30000-0x0000000002D40000-memory.dmp

        Filesize

        64KB

        Download