Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08-09-2024 00:25
General
-
Target
2024-09-08_0b14554861845d417fc0cdc27bec8019_darkside.exe
-
Size
147KB
-
MD5
0b14554861845d417fc0cdc27bec8019
-
SHA1
811042a7614a890dd332603476b1a27fef528518
-
SHA256
1ea8c04497c684c1337e4902bf8edf3fbe632d1775286243e1e6bbba759402b8
-
SHA512
771707df51f0a4df2cfe68abc5f730a32452f16625e546c7557917cb356d2284fd58ddea3af678fb7a28b0485493522a5edfdb6a0eafffd34e9f3c8a6cf6a05e
-
SSDEEP
3072:uqJogYkcSNm9V7DwMN7T8xPy8iuF7snT:uq2kc4m9tDjtTcPyeF
Malware Config
Extracted
C:\Yl8SYKvBf.README.txt
Signatures
-
Renames multiple (167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-08_0b14554861845d417fc0cdc27bec8019_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-08_0b14554861845d417fc0cdc27bec8019_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\C9D4.tmp"C:\ProgramData\C9D4.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C9D4.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5cb96e309590df7986d7bb96788573564
SHA1affb7013ed928be1c190de652b0dc420ef1b53b8
SHA256b0f05623f71475aba5f489227710c4cf818e573766da549accddb5bc0fa91096
SHA5124f07421035657056e49376642212fc169c34e049d6bf06fd16f875b266ce174bbbff9cde20e2c1bd844d5fbb8112de397a5ff1d72d0371950296cb540969813e
-
Filesize
147KB
MD5ba0a24184d2b878ab03c6120d77e0d68
SHA181542b3261a4060d64f4cc230590f91a4f865150
SHA256be5b9e155abb99c72f76fd3d385105dd0c74b5f89844b714e98322bb59df4417
SHA512212a40d7810eded1e8782b57ff898acfb1d63a342b5eb032feddeee9c789c60461016d067fad0c375b331e558245c4626a193cce409053010585f171f6a26ac5
-
Filesize
1KB
MD58e4e1364e1a6cd145eed9e9f55a0191a
SHA141d96243904d92f31b3002a5e422a7afd9e16ae0
SHA2564c25f0783cdd641b9ff8b0944fcc2fdb331e4b73d68314713c46a56213bcd704
SHA5125e2f14107e23c83a5f9867407545841225061857f66e5704e75a7469b55c10836ed067dcf6f39b75f67f811c3d96e7b5cc694752db54be1b6a6d78526102e371
-
Filesize
129B
MD59051f22d588a8f558befea446fbeddfc
SHA1268eb4a3105a7086b8c02e502bcb7378b6a14f3a
SHA256bce517bc32cdcc34b7f4bf4914a1af77f52a31ab59b761153aeff0d8094c96fc
SHA51243211081279cc3c1ed48bdb60b554ea31d6fc45b511c4ac3a117c5f26df998fbc7ff649108906c400bb99213b4ea65409d2439c78773216fe994e3428903ac6f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB