Extracted

• • Target

    2024-09-08_0b14554861845d417fc0cdc27bec8019_darkside

  • Size

    147KB

  • MD5

    0b14554861845d417fc0cdc27bec8019

  • SHA1

    811042a7614a890dd332603476b1a27fef528518

  • SHA256

    1ea8c04497c684c1337e4902bf8edf3fbe632d1775286243e1e6bbba759402b8

  • SHA512

    771707df51f0a4df2cfe68abc5f730a32452f16625e546c7557917cb356d2284fd58ddea3af678fb7a28b0485493522a5edfdb6a0eafffd34e9f3c8a6cf6a05e

  • SSDEEP

    3072:uqJogYkcSNm9V7DwMN7T8xPy8iuF7snT:uq2kc4m9tDjtTcPyeF

  Score

  10^/10

  defense_evasiondiscoveryransomware

  • Renames multiple (167) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2