Overview

overview

10

Static

static

10

2024-07-10...de.exe

windows7-x64

9

2024-07-10...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-10_89a181fac77cc6e784fda5672569d09d_darkside.exe

  • Size

    145KB

  • MD5

    89a181fac77cc6e784fda5672569d09d

  • SHA1

    7aaff3836b3e4118e17b526cebcd9c2676c7c44d

  • SHA256

    ccc0cdfa2dde9635fd97145c3d946365a8019c5c36b176abf492a50a8f5bb28c

  • SHA512

    703fa4c64719576d8186b9cdf8f3fc5b5050eb9c668edc7cc55eded223e6492f573b7fe1086a19f8379f3848feab3b03b8d4ff22892892b35142a4eb221c3532

  • SSDEEP

    3072:HqJogYkcSNm9V7D3IRoErzLH72lBQuW2T:Hq2kc4m9tD3IaMSBV

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (614) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-10_89a181fac77cc6e784fda5672569d09d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-10_89a181fac77cc6e784fda5672569d09d_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3636
    • C:\ProgramData\D89E.tmp
      "C:\ProgramData\D89E.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D89E.tmp >> NUL
        3⤵
          PID:3844
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3084
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{289A87DA-B5AA-4AEF-B5DB-4624C1C49432}.xps" 133651287683310000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini
        Filesize

        129B

        MD5

        0cd022fbf40799910750dad720426917

        SHA1

        693f156f344106fcf8ce75e360e59433351a0521

        SHA256

        bcada7599b8a68c8be942304cb2df0b5928abd325b5c7e7feb2054cfe124fc4b

        SHA512

        ac1bbb686290031f1062f98a7d46835efcae06444af83842c8597c40e25398b27a682ae774978afda82e569b7dbd4e991232bd4347ac430a3213fc8a8b26c5e0

        Download Submit

      • C:\ProgramData\D89E.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        145KB

        MD5

        1a31a8d2f9a0dc451c744e9b99fb62a1

        SHA1

        951a6045aa1f42d1bdd0cb9f6184c8e1dc32bea5

        SHA256

        8f019082a3e36331da49d1c45703e11eb91504c16d2b41dceb82ab8a305661eb

        SHA512

        0591b412a4b5bbd8a334896d8c3f0e32bd82595dd9c1bcc563c7f6df2149e5145675b01d7e7ffd219d27e08f96bfebd196046f45d8c06581dbc36a58522b223f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{7A0D3D06-0771-4270-9899-637B95898649}
        Filesize

        4KB

        MD5

        6a6dc148d1241ee62dff2d0f47cf5257

        SHA1

        13ff23cd4030796a2d6b075d2f1fc0292e44694d

        SHA256

        227852049792497b491503628739427460311f788dd4dd7f04622d498cf3d302

        SHA512

        9c264ae544e3870ae0257ed45ae743131eed736a19f5942c272ffa8f4e6a385412bd97ef7eebab44a0dcf72a9027823a7c7dd55dfc3486c1f6c68f5dc6d99828

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        8b3c8de7aa7f0c766434ae1bdb668302

        SHA1

        633efd8bdf799c95dbb7f53f19d6ecf818adb507

        SHA256

        eb6d6dd9d59d88ec3f00b9c9e6e1f6cfd6e69ea8ee143bf894c359db9ee7264c

        SHA512

        c8267072d9f1ad4f6583dbc2c335b0b6bce22466b038bbbf9024de68b40aad57fb3be3d599dd43a90cebb360c0180504a9fc3f0c0bee9f7ec2387e910327fa12

        Download Submit

      • C:\Users\Admin\w67zCHxLs.README.txt
        Filesize

        316B

        MD5

        d6e38989f9053d72789d04667121b876

        SHA1

        749cb04125667b12c82d413a645abb4d2f18611c

        SHA256

        1df528fd4a624396c30dbf15419cf4c768fa6baaf383d7c4d812c9afac0db61c

        SHA512

        9f0f771a3bfaecf82e6ba925e1313489e5b396c161589714354e93ebd8f1fa41f6414c69e3db7318d717be62b78f2bbff850fad1b67774f3292f393ca39e3e27

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1176886754-713327781-2233697964-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        c75d3c98843a50c10cb91f81aa88238a

        SHA1

        41ac1cdd31abb03930ab318dcf5720afa59a7113

        SHA256

        8998b6216f690ec918df74a1597d7c1f4f17c4e4e541ecfc5153ddbdce88e360

        SHA512

        37437a9e4476cb9c2e2d8ac23c5c25366ffcef5bdae89172e0567ad75bdc3e82575561aaca1b57e9892b7b4dcbfab9038e92eef0319699957311a830679bd232

        Download Submit

      • memory/1068-2966-0x00007FFF24890000-0x00007FFF248A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-2967-0x00007FFF24890000-0x00007FFF248A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-2969-0x00007FFF24890000-0x00007FFF248A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-2970-0x00007FFF24890000-0x00007FFF248A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-2968-0x00007FFF24890000-0x00007FFF248A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-2999-0x00007FFF22830000-0x00007FFF22840000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1068-3000-0x00007FFF22830000-0x00007FFF22840000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4852-0-0x0000000000C00000-0x0000000000C10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4852-2-0x0000000000C00000-0x0000000000C10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4852-1-0x0000000000C00000-0x0000000000C10000-memory.dmp

        Filesize

        64KB

        Download