Overview

overview

10

Static

static

10

2024-06-13...de.exe

windows7-x64

10

2024-06-13...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-13_603ab1d26637ce590df341e468795968_darkside.exe

  • Size

    1.2MB

  • MD5

    603ab1d26637ce590df341e468795968

  • SHA1

    1713ba54373bbdfed5b07e6244e1597ac94f5e2c

  • SHA256

    c2006d3fd1a8d1943421da6154751e7b53cc799a8bac833a6a95ef1dd2e06c45

  • SHA512

    81e29123cb6ce89e2442077dfb647b94752c0578507d2294135af8ef3ffb420f6f16d6d0a06be6a570143798adb63db3d874274bb9bab42bf190633419460268

  • SSDEEP

    24576:Pj4SJslvwqeH5TDdy6gGYXI152bFYEGsMOPRgH8vt+t7d1LeEqotPntpMWhP+c3O:P8J7IaOac4Mn3tAjXLz

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\xa1Xx3AXs.README.txt

Ransom Note
~~~ LockBit 4.0 Ransomware since 2024~~~ >>>> Your data are stolen and encrypted Price = 1000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: A3138014A48684D6D525F3F372263313 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Signatures

  • Detects executables packed with BoxedApp 60 IoCs
  • Renames multiple (8832) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_603ab1d26637ce590df341e468795968_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_603ab1d26637ce590df341e468795968_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\ProgramData\8804.tmp
      "C:\ProgramData\8804.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8804.tmp >> NUL
        3⤵
          PID:2116
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2148

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\EEEEEEEEEEE
        Filesize

        129B

        MD5

        00b696b9db0713546fa65eb77db8ec4d

        SHA1

        80eb711dfdbf9e6c2ae7a767d2881ea75d81c9a1

        SHA256

        3aecac82053bdf48836dac18d08c79fe55ea75253890dff670cada1222c0a8ed

        SHA512

        8c9893fccf81173a99dc2b7a8572d7172d8ca200e3f3349589daeedf711a5583e1711738c34c8a4b850acdf3f4b5cf575b90504c885e3610283df8869a7da234

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        1.2MB

        MD5

        c1e6261ba404018bf2278f24b4cca262

        SHA1

        51e038f8b265ad00ef1a2718c15b713251aebc13

        SHA256

        87afc3178e50e112cf16f80a8d7aa1be09146c71c2198c8fe68e8dc0a1bfebb1

        SHA512

        a8731e28e986cd9ddd0b372dfcdda95b6467434f48b2963e37be815fb9e1e3621ce3b4167a284d98f07cbaca95f4a708aca56aaacab24fd391192b9baa6ae5ae

        Download Submit

      • C:\Users\Admin\xa1Xx3AXs.README.txt
        Filesize

        1KB

        MD5

        b086e40671776e1878d78e5b77d87b29

        SHA1

        afc25200704f5e355a80a719e86a450295177606

        SHA256

        c99243fd5b4b2b5be708c0f30d095e515517f1e26a01032d05ad5ec6d6e4e2e3

        SHA512

        e813443a43ec149dc783d8f41c7e0abebf79ffa2718c33747a8d4a5cdc7ea1f9cbbc7ca7b2738ed4b724f246b0c56fa9f48c19f941174ddfc976216221480474

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\FFFFFFFFFFF
        Filesize

        129B

        MD5

        96f384c294aaded37e06824993af1956

        SHA1

        79d5f313d4748b6e66f352bb657449693d58f4b8

        SHA256

        5e215214657d226b9f7ee2de1c52c31b092333d69ff9d6285bba77de0a67433c

        SHA512

        f26104c37acee25a89c55cbeaa7bd7d78dc467ac0ef43f9961e6bd70f2f94c78240e9ac01114deb66bd2b5badd18b7401180487432372d04362697fc17115ac3

        Download Submit

      • \ProgramData\8804.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/1632-12798-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2852-51-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-11077-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-2-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-6-0x0000000000428000-0x000000000053B000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2852-8-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-9-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-19-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-47-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-18-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-17-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-16-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-15-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-14-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-13-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-12-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-11-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-31-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-45-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-56-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-29-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-57-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-55-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-54-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-53-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-58-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-52-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-1-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-50-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-49-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-48-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-44-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-0-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-20-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-43-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-42-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-41-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-40-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-59-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-39-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-38-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-37-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-36-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-35-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-34-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-33-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-32-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-30-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-28-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-27-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-26-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-25-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-24-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-23-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-22-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-21-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-6347-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-10049-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-11071-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-46-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/2852-12799-0x0000000000400000-0x000000000053C000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2852-10-0x0000000000540000-0x000000000063E000-memory.dmp

        Filesize

        1016KB

        Download