Overview

overview

10

Static

static

10

2024-09-14...de.exe

windows7-x64

9

2024-09-14...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-14_7846b146a31b75e9c8617e9b418fb3f1_darkside.exe

  • Size

    146KB

  • MD5

    7846b146a31b75e9c8617e9b418fb3f1

  • SHA1

    e3693398aa8ea823945ffc938a3d8ea6e378a039

  • SHA256

    a88c337c37e65b1ed0a7083125000e0d1284a9d89770a9ef0f8ea689405c558a

  • SHA512

    158d4d1d7343b1a23ccccc749f51a42dac7a2d9ef9750bd369459ab15d602a3cef105167901a2275ae1b6eee7b3872611f09944f646c645ab4913b6df834c7e9

  • SSDEEP

    3072:l6glyuxE4GsUPnliByocWepHpfr3dmPbBxCA:l6gDBGpvEByocWe1pfr3YPVcA

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (626) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-14_7846b146a31b75e9c8617e9b418fb3f1_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-14_7846b146a31b75e9c8617e9b418fb3f1_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:6120
    • C:\ProgramData\88C4.tmp
      "C:\ProgramData\88C4.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\88C4.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2376
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8
    1⤵
      PID:5892
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3612
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{039179DC-6480-441A-B7FB-CE1388E46D26}.xps" 133707730393760000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:5016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\KKKKKKKKKKK
        Filesize

        129B

        MD5

        8e5da88e5ddddb23ba19764c5b1d20a8

        SHA1

        6972b399d0436ed6d9ae0c88ad5c69112056f956

        SHA256

        32351b37d61500b5aafe8c394440ac62e83828b9d11687acccab1d8cf77046e5

        SHA512

        c1f765f8973215acbea2a776439bc8daf92300a1bdc0a424c0bd3b12192838a3b4927caaaadb18ab260cf7c0f971731f1a06ee3333f0c71550eca2913d7074c4

        Download Submit

      • C:\ProgramData\88C4.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        146KB

        MD5

        b4738eea86d4a0b42a9258707875e72b

        SHA1

        d456d583a96efea817649a3203aa0fdff2d15c8a

        SHA256

        9bbf0c85536bfa443823438d674186e66573dce70855e96b1aba35bbb05fe463

        SHA512

        1b87c1bcd47bc3d821bfab50c288565719576448a849cb1fc550acfa42c2d4a30c0b541719bfbf96c6d4e7810db454324057f1eeeaba7f72466e2a28a638fbfc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{C854C92D-21E4-4A6B-9AA2-C91B268695B0}
        Filesize

        4KB

        MD5

        5f42bd09279f4d9d9f7d1c5b4315c300

        SHA1

        343750b792ca71f64786c24da3a3042ba7b07f9d

        SHA256

        991b158402c643756719619d1d99121d1dc008a8682778e3b27471073b0b8292

        SHA512

        fa1a868172af91efc069c72005bd1f043cceaf4477b373ff73bf5fe9abebf00f59f700e0b0dab86cc33c1065be7bd8256cba0d2fb000d0740727744f33e3c3f8

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        b781e0b8229efbf0c53a5c60f826a277

        SHA1

        edb8a3f2a39585a4e3a915d284242b9e8047b98b

        SHA256

        bbe7100c69440d4bbfd5cc431bf6efa8ef753483ed753669c923f3c7b48284b1

        SHA512

        7637d9ba67937aefaef8b964e1e236a162adef4033d647a48c8924fd99bdb21c22bfea4721dce3a4214a3907cc8cef593e2f9f33f653f5299c25472ff69bc175

        Download Submit

      • C:\Users\Admin\eAizhxrXl.README.txt
        Filesize

        343B

        MD5

        72b1ffaeb7de456483f491ecceadb088

        SHA1

        ee1953abc295245ab01f35a4a823883826bf2b41

        SHA256

        eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

        SHA512

        c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        a07f4c04a41abea446e213ac3354e0f9

        SHA1

        90b5a1437fa5c0711301757861cf1f7d2a33d50e

        SHA256

        57141956a70add218e9144070a98c51f598319fc73f16924953c9299279597af

        SHA512

        231d0e154cdda137be7bf9f785813f7a3d459923339627c271b0cca824907b313dfbf8b5cb75effc9292773e9ea973ed71e7ac93c6904ac6a8b41507e0e6436b

        Download Submit

      • memory/3068-3035-0x00000000033A0000-0x00000000033B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-3036-0x00000000033A0000-0x00000000033B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-1-0x00000000033A0000-0x00000000033B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-0-0x00000000033A0000-0x00000000033B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-2-0x00000000033A0000-0x00000000033B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3068-3034-0x00000000033A0000-0x00000000033B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3050-0x00007FFD82F70000-0x00007FFD82F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3052-0x00007FFD82F70000-0x00007FFD82F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3051-0x00007FFD82F70000-0x00007FFD82F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3085-0x00007FFD80BA0000-0x00007FFD80BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3086-0x00007FFD80BA0000-0x00007FFD80BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3049-0x00007FFD82F70000-0x00007FFD82F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5016-3048-0x00007FFD82F70000-0x00007FFD82F80000-memory.dmp

        Filesize

        64KB

        Download