Overview

overview

10

Static

static

10

2024-08-10...de.exe

windows7-x64

10

2024-08-10...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 02:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-10_ef531da468065fc649d072824c9a76e2_darkside.exe

  • Size

    146KB

  • MD5

    ef531da468065fc649d072824c9a76e2

  • SHA1

    93c35e2e7f4915645479f6ae680683dcb3d9bc54

  • SHA256

    d12c35c8825aad5b09855a89102236774ca847a7559132c4e9d92aaf69772815

  • SHA512

    4c212df24e00fb7d93a5d26f27c3c0628cd7dbea67d7ee72844d1de5d6c5713860e423a01a8226da825882507f5982a06d01d8677e8bb26c66a43f131dac7894

  • SSDEEP

    1536:IzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjkxB81Hd8lQG9XtPmSQVwpdNIQ:XqJogYkcSNm9V7DjQPQGfjLpjIa1tT

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\xgU6NOijB.README.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to use a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/bit_decryptor Warning. * Do not rename encrypted files. * Do not attempt to decrypt data using third party software as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: 8F1D8AE5590CFFAA7CAF47ED4DB2283A
URLs

https://t.me/bit_decryptor

Signatures

  • Renames multiple (599) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-10_ef531da468065fc649d072824c9a76e2_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-10_ef531da468065fc649d072824c9a76e2_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\ProgramData\705D.tmp
      "C:\ProgramData\705D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\705D.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4804

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\CCCCCCCCCCC
          Filesize

          129B

          MD5

          1fe55e42eaa716ce7015ec3871b71bf1

          SHA1

          395af9d24dcac22e3bbc23cd107efe620b9909b3

          SHA256

          5f80bd70c9e5624653a7cc17e49dbba7a30acfb2a789502a423a84e018dcdb42

          SHA512

          889ae7d18e7f96dc6305ad21efeb8473b543c01570b5863cc49e0417be1cfd3adbdd68c4371bb2dd45eeefa1b82015e28c4e4dd13ee92eb80fe2e7945e190ef8

          Download Submit

        • C:\ProgramData\705D.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
          Filesize

          146KB

          MD5

          5b2771c7bec12ceccdbfa68419072a0e

          SHA1

          750e8ac0107e15d2254cc7b5073337808096c00b

          SHA256

          9544d36c0116218371ce0f5f24764fc55bc9c8fe2894ee01868080ca603413bb

          SHA512

          5ae3b3010652a7e2179091d0427acf8573e6581dd2ed6fbb5189921328997adaab795388a1c128b0d80909fa09846fbe94b4df1b2815718a6362e18c5dc01305

          Download Submit

        • C:\xgU6NOijB.README.txt
          Filesize

          659B

          MD5

          b095cdc2c61397b1ecee4084679ce7f3

          SHA1

          009df052eb53a5b0c092ca850abf28f195b0d82e

          SHA256

          fb9f29b6168e5095f9faa8db50a0c3e21640fc5931cee5c275de7d4c25d84fe4

          SHA512

          1d6b8fbe29f6f960e846b198bf3caea276e4b5f0ae01c5616232c583b8bf5988ecc5f646bd027280283a86529c0d6b9b0ceef6b7e304cd5fda1428cc0f87412f

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\DDDDDDDDDDD
          Filesize

          129B

          MD5

          553176e0e96aaa41ec3ff1e596bc2657

          SHA1

          5823329dc009d5e7aee9284744cd2b3f8f983f44

          SHA256

          5c35412cfc697c6f4f08a6991f7583b1d053d1a325bf3ea780e2aaa605e4e988

          SHA512

          247ee5c899f26ca3595fe00a0905f7feb2df885e8737c175183146c87f467217e0b2959c65cbc62ecd6ab035f183040f6f47c7424bca316fddb3a0acad96eb89

          Download Submit

        • memory/1396-0-0x0000000003330000-0x0000000003340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1396-2-0x0000000003330000-0x0000000003340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1396-1-0x0000000003330000-0x0000000003340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4312-2784-0x000000007FE20000-0x000000007FE21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4312-2783-0x0000000002400000-0x0000000002410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4312-2782-0x0000000002400000-0x0000000002410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4312-2781-0x000000007FE40000-0x000000007FE41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4312-2785-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4312-2814-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4312-2815-0x000000007FE00000-0x000000007FE01000-memory.dmp

          Filesize

          4KB

          Download