Overview

overview

10

Static

static

10

2024-08-19...de.exe

windows7-x64

9

2024-08-19...de.exe

windows10-2004-x64

9

Resubmissions

19-08-2024 02:08

240819-ckmz8ssapl 10

19-08-2024 01:29

240819-bwmyyazelq 10

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-19_f24e4d221c73ebf1c2fb12d15c13fde9_darkside.exe

  • Size

    145KB

  • MD5

    f24e4d221c73ebf1c2fb12d15c13fde9

  • SHA1

    019ef3cbd70a0c4e3ea5c45ec4afdc28a655ed81

  • SHA256

    4f006379bbd3a2b2611346595ce373595031177d7043200591d81150aefc8ee0

  • SHA512

    1508ebf2cba481eda06707d133b994932688d6d3be6c1373e9e88bf8c36a02331df31dc1a575b6e4ed8a160294c88ae8767115af16af94e51b1589bdeedd1629

  • SSDEEP

    3072:H6glyuxE4GsUPnliByocWepMIO/oULmUHI:H6gDBGpvEByocWeGy6

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (631) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-19_f24e4d221c73ebf1c2fb12d15c13fde9_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-19_f24e4d221c73ebf1c2fb12d15c13fde9_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2116
    • C:\ProgramData\D2B2.tmp
      "C:\ProgramData\D2B2.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D2B2.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3148
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1880
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C8FEFE84-755F-4123-90D7-6A24417FAA62}.xps" 133685045987320000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:2164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\FFFFFFFFFFF
      Filesize

      129B

      MD5

      ef24d6fd5122fa253ae7dc5244628738

      SHA1

      b7424e9fb1d9b6be7690308fc443d4ace236d2b3

      SHA256

      97008116d4576dd1447503e183379f4e6336a3a2be1b53edbddb29207cd6569b

      SHA512

      217e692734a9f9cbf1ecb43106bfffea5c15133beb9e9e33ad299a4fd097391baff74546219a5fc021693b4e523ecee8d10940e0bd5c969b67ba8936bbb8f4f0

      Download Submit

    • C:\N0IKX538u.README.txt
      Filesize

      19B

      MD5

      7edb66f1ed51a03a8b381c2307756c3c

      SHA1

      60fbdfcefe96843c077b66f7df2f89cbb3bd0312

      SHA256

      0fb417b326d101acbdbb29f1a10c8cfea19b6ce313c17f970ecbfd318c5015dd

      SHA512

      f65dc6c8a1494c267b217f562a6c98fa4b8d7ee9a77127d4062a6fba5e26879b9a4adb5649b3777d26f95ba491f29cde343fc4353e9ef6c8648ed51332a87dff

      Download Submit

    • C:\ProgramData\D2B2.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
      Filesize

      145KB

      MD5

      cb208303b1e29500c505e763574e2e7d

      SHA1

      5f638d036153b343c65116caf5c0380a59f3caab

      SHA256

      e9152b7dd928dee0d2018eb3907a13678f9b8a90e2b93032b2fd17481015ecb2

      SHA512

      13873feadfdcdde8966172d8b72a5948a5d7544f59ef5c160cafd80d4c4c1d7af4ce72d8dc276d90f3742a31620fa142b637eef1cd4c82b3453a69d9735b77ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{6521CF6F-6438-4CF3-A8BC-F0174BA3A1E4}
      Filesize

      4KB

      MD5

      c28a031dfb3da4b847b16661a3b5b485

      SHA1

      b7c0b2534e50d1931b7997996ee5257870dd2ca6

      SHA256

      d2bd2efe070bd739834ca83dbc1cac60fda3d36bbfcc10ad3d9d0d4cb0009bb5

      SHA512

      ea3612547deb03ac99239d10ea75172bfb8006a1760c288f4532f493a78047f6eda6e9967c38098a70c09aacfa98cab03c33686bceffa32754ed41f72bbd7071

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      0cab3704a6c9d3ccef0a6902bfcbb33e

      SHA1

      31625fd644a59b3e54388fb9a3c5478fc4f292c6

      SHA256

      3ce5f740b126c7045473c94cc5e9a1bf9da048203e549338cf55ab06e3222e76

      SHA512

      e0a41a231dd51e5440c59e735690deb27811150d389bf984b24acb15e77904ab27dcf38c3aeed95cb6cb18b625ab1bbae6553932884b22fc007e74a3b87b4d88

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      9d44d0eacc9900d43f6b7182574e52ac

      SHA1

      bc6bda2bef61fc472e0fa115714213b1783955b6

      SHA256

      1754975b7efbcdeca0d90454e5116d09d756a84f4b8d381d1d839accc542e35d

      SHA512

      677975c4b2c2974fd9cb47884c418dea488cbfa5dd922b1088b70bfeaa68783b311d8411e8e9544e1f717fda9c9a256c28fb1ebdb1a057a12a93252f47e55fc7

      Download Submit

    • memory/972-2979-0x00000000031E0000-0x00000000031F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-2980-0x00000000031E0000-0x00000000031F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-2978-0x00000000031E0000-0x00000000031F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-2-0x00000000031E0000-0x00000000031F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-1-0x00000000031E0000-0x00000000031F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/972-0-0x00000000031E0000-0x00000000031F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-2999-0x00007FF7C6370000-0x00007FF7C6380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-3000-0x00007FF7C6370000-0x00007FF7C6380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-2996-0x00007FF7C6370000-0x00007FF7C6380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-3029-0x00007FF7C3C60000-0x00007FF7C3C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-3030-0x00007FF7C3C60000-0x00007FF7C3C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-2998-0x00007FF7C6370000-0x00007FF7C6380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-2997-0x00007FF7C6370000-0x00007FF7C6380000-memory.dmp

      Filesize

      64KB

      Download