Overview

overview

10

Static

static

10

2024-07-10...de.exe

windows7-x64

9

2024-07-10...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

  • Size

    145KB

  • MD5

    96e3e3d9ebe4d58cd95eb228435fb963

  • SHA1

    abdc64e951191b76aca54288c7f8fa73815e3595

  • SHA256

    59df766d70769ab099af2c4baddef908b86df1052251f0e1dfb62ac7d1eea91a

  • SHA512

    b6c1e815b54bafd5f23b3141e7fadfe6577f2b860afe9116a26cae9a125ec4367a30aac82680241c672a824e53b4b8afdae361d14360dbed1bef71cecfae592f

  • SSDEEP

    3072:+qJogYkcSNm9V7Dt1IGupuEE5MuJHkyT:+q2kc4m9tD4Gua5k

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (352) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\ProgramData\BCCA.tmp
      "C:\ProgramData\BCCA.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BCCA.tmp >> NUL
        3⤵
          PID:2040
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x148
      1⤵
        PID:1332

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini
        Filesize

        129B

        MD5

        a9ac3ab98c580639d83a67815b33b5b2

        SHA1

        169c17464eb0b7aa99d3f746c65f2de4909560f5

        SHA256

        9a7204c50c4d386e36e9bbb762668a944e5492fc0ee4fabe7a980635ac9884e1

        SHA512

        825a672f5739995c622909f5f17311b8dbece35d941ff218765f29817b467c4810802b125cbbaff8eef150e57fce5a3d3db3f7bb71fa09e41cbae32fd31f77a8

        Download Submit

      • C:\Teq3MqmIA.README.txt
        Filesize

        316B

        MD5

        368f4c8564cb3f6b7a27e5aac3626f94

        SHA1

        7027f2738c0199587c8023b5602cfaf0705dc915

        SHA256

        1e65060d971c2bd94ba6ffeacb716992d2d0d0cd7d045b63003f0d9d2103c784

        SHA512

        c67ecee9dd57937aa52361b2dcfc2533dfedfe6041a8249f2a3c737d27ea290ca630bd983d7537bc13fee836dfb51175886c49f8c1fff6e673acc348e5e1f605

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        145KB

        MD5

        b6fae4b4569ac6ddac9f7f72d911c789

        SHA1

        dad688ef642457c0dc81fffb5c725cffdbd60cc6

        SHA256

        de1d7e65c69c17553f172f935a2cb465ad91f01b637e2cc0ee080c297dc4f03f

        SHA512

        164635f9bb3d139b06a352b1d920c921034c5c98bb8a9145b61ceb5da10b7956b34788f9efbfdd9b8d0ee40f59c59c3dc2ec3f20aa6c8296187bb2b48a26546c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1385883288-3042840365-2734249351-1000\IIIIIIIIIII
        Filesize

        129B

        MD5

        49f1bc254af21b4ca1b4ed7037b38565

        SHA1

        dc3278e5fdc8607d0fc07d07d37efcf03a1f9d0d

        SHA256

        9c0a5822d6d992f30fe3dfd3907c55394ea4c5f9e13dd0f2bcb2630c279aaf24

        SHA512

        639e5aeaaec0e6893e59407bc6bd63c5317213b6f44e1e448f588c39b74b7405e1e1a1ff8fb141bdbc5117769542bb824d22f9fca927da8aa5397f456add1f81

        Download Submit

      • \ProgramData\BCCA.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/1992-887-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1992-885-0x0000000002430000-0x0000000002470000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1992-884-0x0000000002430000-0x0000000002470000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1992-883-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1992-886-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1992-916-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1992-917-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2096-0-0x0000000000C60000-0x0000000000CA0000-memory.dmp

        Filesize

        256KB

        Download