General

  • Target

    2024-08-10_0698cdd7f9b368e45a1180c88ad87aa0_darkside

  • Size

    145KB

  • Sample

    240810-ctjzya1gql

  • MD5

    0698cdd7f9b368e45a1180c88ad87aa0

  • SHA1

    3d6f7d44ac1ee1125526ceaba6a9f28cf80d9de2

  • SHA256

    7e7505d1be3d0e23af4d995768260d8200a7cc980e1e2ac359288779c9d18cd8

  • SHA512

    d21d947537e8556083efff317f6030b7c442a5199a1172e916a99ea6ea89478ae8438183715b939ca494d3b653c551a7efee33005fc8e423f1bdd1689bedd820

  • SSDEEP

    3072:yqJogYkcSNm9V7D0z88vdQpKbHuck/80T:yq2kc4m9tDcd9ucY

Malware Config

Targets

    • Target

      2024-08-10_0698cdd7f9b368e45a1180c88ad87aa0_darkside

    • Size

      145KB

    • MD5

      0698cdd7f9b368e45a1180c88ad87aa0

    • SHA1

      3d6f7d44ac1ee1125526ceaba6a9f28cf80d9de2

    • SHA256

      7e7505d1be3d0e23af4d995768260d8200a7cc980e1e2ac359288779c9d18cd8

    • SHA512

      d21d947537e8556083efff317f6030b7c442a5199a1172e916a99ea6ea89478ae8438183715b939ca494d3b653c551a7efee33005fc8e423f1bdd1689bedd820

    • SSDEEP

      3072:yqJogYkcSNm9V7D0z88vdQpKbHuck/80T:yq2kc4m9tDcd9ucY

    • Renames multiple (367) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks