Overview

overview

10

Static

static

10

2024-07-09...de.exe

windows7-x64

9

2024-07-09...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-09_e2345db4f8ebb6ed5e78f14e6b57384c_darkside.exe

  • Size

    147KB

  • MD5

    e2345db4f8ebb6ed5e78f14e6b57384c

  • SHA1

    e5f299b1d4f2d5d0837d4b8229074c266ba62f14

  • SHA256

    9075cb70be32cfd3c97dc814eab5456eef5800c07acc4862094c09680cf4667b

  • SHA512

    3baa786b6472dd4a267ca06e045e918e5bba0e10c08adb77ccc5444d6ff694525659685f6a8abc10e5eb99e1b0cc2d0b6faa584f6cb404190b88c509be9a2a41

  • SSDEEP

    3072:O6glyuxE4GsUPnliByocWepteMq6UJhlQ8fH/H:O6gDBGpvEByocWe+b6Ul/f

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (8063) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-09_e2345db4f8ebb6ed5e78f14e6b57384c_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-09_e2345db4f8ebb6ed5e78f14e6b57384c_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\ProgramData\5EF2.tmp
      "C:\ProgramData\5EF2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5EF2.tmp >> NUL
        3⤵
          PID:1172
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:948

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini
        Filesize

        129B

        MD5

        47096602d1a772dae0c34d13d9b9a8a6

        SHA1

        d701bfc098cc433576f2e37783fbf7b8846ffe54

        SHA256

        6f5d8e35adc939620c948a79df7f9b9316ca44ad181e68b4b0933bc8695b51c5

        SHA512

        7030af9fdfea385fcb7376d2699fff61590aa4d856294a1549d198aad258420445fcb8cb3a94764bb740adad8b18a39f9a3311ffc1757a2de15c160991d01099

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        147KB

        MD5

        3dd07cc4ab7950a15b46b29b0a7a1cec

        SHA1

        563dd1d405c29845604fec78b49de6ed6faa2680

        SHA256

        643639226425610157979616176963ec87d355d9e844155f10dd1cc4b54fa6c1

        SHA512

        f60b42784349f2f84e80b1826cda8a7d35a5ae208c7665ceb6c0875783d5008ca18a58c58ee00c68254ca835cf72841edb3136a67f70749d71ebe9b97bfa3be8

        Download Submit

      • C:\rkOLwOtuy.README.txt
        Filesize

        1KB

        MD5

        12195084f7d45242aee98ce43164a8ed

        SHA1

        dc77f76589a9e6df6abc30954d52e35a5f1a2bdf

        SHA256

        9551659ef8e5c10038fac2ecfb0adbcf8997ecf7841084f71d1eb2380ee20d40

        SHA512

        5b841a70d5f4743a12a682dc567abee3b78038529d24c13fc8a58d9c5f853c66271579c05212d043fbf426383bad03d4e97377a6b7253390014a3c4b8894f259

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\GGGGGGGGGGG
        Filesize

        129B

        MD5

        b903ff9404e42e565f60b8e380f6e35d

        SHA1

        978151d6ed55c2b83101a3f4c177e2e6d27576ba

        SHA256

        fe2bb9f8c2209f17ab23ce7f339376f52a8e0c1205f80a0bb03a40447b3e5941

        SHA512

        469f889abcb4921628912fde4663d998d5e23a692493cc0cd5e25046ad56de305fc34ba813b37ca97918515b763d3013e9f904ef1b71c8eb30a9afc6ce5cea3f

        Download Submit

      • \Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
        Filesize

        4.7MB

        MD5

        61bffb5f57ad12f83ab64b7181829b34

        SHA1

        945d94fef51e0db76c2fd95ee22ed2767be0fe0b

        SHA256

        1dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846

        SHA512

        e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521

        Download Submit

      • \ProgramData\5EF2.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/2592-12020-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2592-12023-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2592-12022-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2592-12021-0x0000000000290000-0x00000000002D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2592-12053-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2592-12052-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2868-0-0x0000000000EF0000-0x0000000000F30000-memory.dmp

        Filesize

        256KB

        Download