Overview

overview

10

Static

static

10

2024-07-10...de.exe

windows7-x64

9

2024-07-10...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    92s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-10_c800abb5601665aee11296a490208235_darkside.exe

  • Size

    145KB

  • MD5

    c800abb5601665aee11296a490208235

  • SHA1

    075f5904a79191e0e1bf55dead50436e79240211

  • SHA256

    d2f92f8689ebe1eca79c8bdd1c14d0b132ffc69df2d8b1edcfa5ce8ede390085

  • SHA512

    9fa5d90077e0ebae8d10542ac3e7b4d6fd49c84c1995f3b2e3a99db8932d82590b4de6711c6f49d4f954f760b5d6c4c5c1aa4a0b5d123ea6086549a22c741ae2

  • SSDEEP

    3072:uqJogYkcSNm9V7D2xZ11Z/pBOlKkv1Rfn5T:uq2kc4m9tD2D1LRBsxB

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (627) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-10_c800abb5601665aee11296a490208235_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-10_c800abb5601665aee11296a490208235_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3472
    • C:\ProgramData\F732.tmp
      "C:\ProgramData\F732.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F732.tmp >> NUL
        3⤵
          PID:5076
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:408
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2EFFF7AF-517E-43B0-8345-206F77BAA0F9}.xps" 133651287831860000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:2704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\FFFFFFFFFFF
        Filesize

        129B

        MD5

        dbf5ed861e5437ee336eb3178cb20ee0

        SHA1

        405da971a322c5dc5d7d07d7d38b85fef7ef314d

        SHA256

        4e0151f4a013b83660cf2f84d6c42a28a94dbce48ee1d763fee1041f5668e8c5

        SHA512

        1363d51efc8c6b3341fc8c761d803c1edb234e8b3652b3d23ff0cf2515aee2e808c4f9db54d7131d59982d157a1f12315951ad80400ecba630f841c8596b076a

        Download Submit

      • C:\ProgramData\F732.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        145KB

        MD5

        4e69070f37d608449de978a2f635371c

        SHA1

        7baaee7d8543fa906f7641861d059ac774eda875

        SHA256

        256438366c53616d523927c691fc07efb890d05c0537780cf32f2468d38fbf47

        SHA512

        005387f08ec4ed544a4471204d550c922783fefd3eedf53610bc2d9e2308e79247cfb16e4e1a18896e4a2178b03e6f1d536ddcca30f66a0fffde266fee81547e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{5EA06A17-0BDD-4C69-9025-ECEC61A926EF}
        Filesize

        4KB

        MD5

        83fe3c1e7c49a52df7014ad5ba894071

        SHA1

        6e78624ea0530995fbc3976fdbe0db5a583c7b8d

        SHA256

        8db0810bd09f8d363077216118ad7107e9c3baec902f7139d5e7a232acc08eb9

        SHA512

        5120a6999420045f769901d464faf82592a80c6d433cc653f08416631f2ca89f36153b58f7ff4a1443a6acd55c5bf8150541ed9d84e4246fde559b188312afd9

        Download Submit

      • C:\iQqkpF2D8.README.txt
        Filesize

        316B

        MD5

        58f21017efbdd10f2f533435e673475e

        SHA1

        9c03d5de3bc5f6f29e3743803499aa72a36d8ca3

        SHA256

        c24653b000805dd26430ce3f0807999652e3a8e3f29ff7e70b1c565d3245ac4f

        SHA512

        963d05c0d2c9f2de21dc9cf7aac7802cfaccb8fede12ab991a68dc13293f280d7ec7d08c6df899360e77c26a3fc9d8291558bf71aec3453622ea5889d243da3d

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1176886754-713327781-2233697964-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        3dacb2381c319b323c0748ad9c00bf31

        SHA1

        1b57599991ab9d18b3506a9eecb52a32e8df1045

        SHA256

        c75a20dd298a445746451fdfc9d1f1e67f77f489f613e4c5fad0158c4fb9b0fc

        SHA512

        6eca93b72f5d473e654f8946a535c3ecdf34713cfd3a703a52b1cda55f08bced98770faa9bbd78c9fddedca5930f7701cb4255a91d03346ae6bb61b3c3be276b

        Download Submit

      • memory/456-2-0x00000000032E0000-0x00000000032F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/456-1-0x00000000032E0000-0x00000000032F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/456-0-0x00000000032E0000-0x00000000032F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-2998-0x00007FFA98190000-0x00007FFA981A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-2999-0x00007FFA98190000-0x00007FFA981A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-3001-0x00007FFA98190000-0x00007FFA981A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-3002-0x00007FFA98190000-0x00007FFA981A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-3003-0x00007FFA95890000-0x00007FFA958A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-3004-0x00007FFA95890000-0x00007FFA958A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-3000-0x00007FFA98190000-0x00007FFA981A0000-memory.dmp

        Filesize

        64KB

        Download