Overview

overview

10

Static

static

10

202409158b...de.exe

windows7-x64

9

202409158b...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202409158b4ff23ebd887a44d0383ef513aca063darkside.exe

  • Size

    146KB

  • MD5

    8b4ff23ebd887a44d0383ef513aca063

  • SHA1

    ec4d050d74b2088ccdc5e75955a011506e1b1687

  • SHA256

    cd4a001ca9419ac6e0220333a5d0a843698abf5bab58040fdf1725df6e2f34ed

  • SHA512

    40e6d5ad6137ddbd552e9902d9671ab26eb678499c1249204445cee7896b887a1f0fd48690d7066667459ef3c8e8a4fb2cdb07a93cc02266e21b1555d7f942e8

  • SSDEEP

    3072:Y6glyuxE4GsUPnliByocWepf3Ggr5QZLkZKXNx:Y6gDBGpvEByocWeZGgFoz

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (603) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202409158b4ff23ebd887a44d0383ef513aca063darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\202409158b4ff23ebd887a44d0383ef513aca063darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1544
    • C:\ProgramData\ED8D.tmp
      "C:\ProgramData\ED8D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\ED8D.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2736
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1500
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C24619A2-1F26-4DD8-A7A2-DA006E0719C8}.xps" 133708640892640000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:1684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      936feeb10fb1559fe4a0850e42d97a55

      SHA1

      59fb7622cf8b032666aaf8fbc364d29941bdbd0e

      SHA256

      3df57fe1f1c02c74a5ee994f71c7c74ef7fdedc6ad73ea3ffb52da364e78751b

      SHA512

      e7d3e3d7d898dfeb16b33e808eb38a3c181d4d6a9358f91b263b058d64d80a5bfd4fd00bc06135c44f4567070b16d3f5de8fe00b701907bfadaf553471e94314

      Download Submit

    • C:\ProgramData\ED8D.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\SsCWUDNQz.README.txt
      Filesize

      343B

      MD5

      72b1ffaeb7de456483f491ecceadb088

      SHA1

      ee1953abc295245ab01f35a4a823883826bf2b41

      SHA256

      eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

      SHA512

      c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      89ec8fe298b837b3375accff36838e2a

      SHA1

      9b47a0cd415380826c11dc1a9a269cf318f06eab

      SHA256

      c237053753812173def4be25c06c1e5a938327ebfe390ac751725ef9388052de

      SHA512

      44eee77412019ef0913130b1c5801f8da02e70dc26174878b8b33ecf5649a84816b62d225737b06ad07f48bcd11048b10df16938726b522829b3e6bf2c55ae6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{91F33852-CE00-42B0-96D2-176D3B878147}
      Filesize

      4KB

      MD5

      78b4d818db8aebe7a1bfc34afbadf6ea

      SHA1

      7e73b66f7d32dc9cfecc8d041838b1eb5c461d3a

      SHA256

      2331e82ac6a67a5ed1139fec568d2f88f34d4f6b0c17d9d9885321fbf2d2d85d

      SHA512

      a7b1345c0b91dff2dce69681400f93130e5d664a01d4434c09aa1b4c4e4fb69183b2adc71cd7d67815cbd1aa2ddb830620d76ba2be886c3f2fba4ceb2f57c722

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      7ca45fa4b589fca49c7cc5986301ed94

      SHA1

      a6764cfc901bcbd634cadcd4987eb5647317a731

      SHA256

      62ce99f86e43c730a3250d1744c30297958c841bd2a08b587dfbb46fca7faca7

      SHA512

      a4e3accbc54852ad478d24e0673bd981eb1ed802f328dc64705a501c624114d0eae754b02270e42ee1586ff11a8d115ec575fdd96eead7bbddcd0cb8dd970291

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      632dac5b00621ffbd2dcad187157003c

      SHA1

      8d8ff9c7d16f38b11b00b8dede1f073a37c3f18c

      SHA256

      e5c97e5183c3dbee7e46a325465bf6f6261aa70070a9a5a066ac2d9387696ad3

      SHA512

      8b597189910877929a09c175989f82714e637de09abb0e169385430192486ba1c5d78a9250998c7f1c8a67882b34ef2405914a0dddd3de0cdf4ca39ffd4078e0

      Download Submit

    • memory/1172-0-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1172-2-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1172-2950-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1172-2952-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1172-2951-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1172-1-0x0000000002D60000-0x0000000002D70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-2968-0x00007FF7E3C90000-0x00007FF7E3CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-2971-0x00007FF7E3C90000-0x00007FF7E3CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3000-0x00007FF7E3C90000-0x00007FF7E3CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3001-0x00007FF7E1C30000-0x00007FF7E1C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3002-0x00007FF7E1C30000-0x00007FF7E1C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-2969-0x00007FF7E3C90000-0x00007FF7E3CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-2970-0x00007FF7E3C90000-0x00007FF7E3CA0000-memory.dmp

      Filesize

      64KB

      Download