Overview

overview

10

Static

static

10

2024-09-14...de.exe

windows7-x64

9

2024-09-14...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-14_7846b146a31b75e9c8617e9b418fb3f1_darkside.exe

  • Size

    146KB

  • MD5

    7846b146a31b75e9c8617e9b418fb3f1

  • SHA1

    e3693398aa8ea823945ffc938a3d8ea6e378a039

  • SHA256

    a88c337c37e65b1ed0a7083125000e0d1284a9d89770a9ef0f8ea689405c558a

  • SHA512

    158d4d1d7343b1a23ccccc749f51a42dac7a2d9ef9750bd369459ab15d602a3cef105167901a2275ae1b6eee7b3872611f09944f646c645ab4913b6df834c7e9

  • SSDEEP

    3072:l6glyuxE4GsUPnliByocWepHpfr3dmPbBxCA:l6gDBGpvEByocWe1pfr3YPVcA

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (299) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-14_7846b146a31b75e9c8617e9b418fb3f1_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-14_7846b146a31b75e9c8617e9b418fb3f1_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\ProgramData\1C5.tmp
      "C:\ProgramData\1C5.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1C5.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1752
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:1592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\BBBBBBBBBBB
      Filesize

      129B

      MD5

      af5754140d69c24be69e5d0fdcff7b10

      SHA1

      7acdad4e033ac4e2bd90888dbeef790ffca42867

      SHA256

      5a8b38aef2650e747f8bf031edfbdeeb846b177b2ae1381d27984616f3374eb3

      SHA512

      819f1c44e6f720827f2936e747b55e3930a85b8079ccc92a04191d0a68a76806be54565c806daaff913db91c0ab3286d9e08d824d214fa69c0d8eefb3c444e7d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      9bf9c08a6d5489fa8922770d14552448

      SHA1

      4348a4a5fde7a87558bbd8be792b7f37ee15146d

      SHA256

      db2f71fd9c2964f82ea0953795da461f15b8a92fe68d00d29b9e2b76d04e496a

      SHA512

      c5de6a1ddb6d8fc408b09f1691ffcea5569e954c594a6a064db1f48eae3493b8b0401b1c316d7a2ca3074b8e8a41afecc19ca8a46c86eeffb142f599bfc8e881

      Download Submit

    • C:\eAizhxrXl.README.txt
      Filesize

      343B

      MD5

      72b1ffaeb7de456483f491ecceadb088

      SHA1

      ee1953abc295245ab01f35a4a823883826bf2b41

      SHA256

      eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

      SHA512

      c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\GGGGGGGGGGG
      Filesize

      129B

      MD5

      8b62a60b06c15d21eced304f514a3378

      SHA1

      544489e8f14e9fd693bc3013bba9e68774c877be

      SHA256

      87bff4b7758c0f302aadef89ad66c0315768b0b2cc7dcf21315aa23f60ab00e1

      SHA512

      cb7b778b274943f98e68e34540f12661dcc4f4131c66ed44f456d391102abd0ba9482dca34bfb4c28f2a7818eaebde7b478f9025c8aab9f1f56e48cb500c7b26

      Download Submit

    • \ProgramData\1C5.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1260-833-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1260-838-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1260-837-0x0000000002240000-0x0000000002280000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1260-836-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1260-835-0x0000000002240000-0x0000000002280000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1260-868-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1260-867-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1904-0-0x0000000002120000-0x0000000002160000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1904-1-0x0000000002120000-0x0000000002160000-memory.dmp

      Filesize

      256KB

      Download