Overview

overview

10

Static

static

10

2024-09-20...de.exe

windows7-x64

9

2024-09-20...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    146s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 00:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-20_01917d8ef944c6fda4666f67b4927d46_darkside.exe

  • Size

    146KB

  • MD5

    01917d8ef944c6fda4666f67b4927d46

  • SHA1

    4b811bfc90504e935774457b002d785143804f24

  • SHA256

    9c09ece9784fad75103d9ecc51a7036dd1b9d6b9ddf945c580abc9e626e39d1a

  • SHA512

    395dd71cfc7be177f84e4be772f3ca869e7915c951cc183cb708deb0a464215b447901f1744f8c71d141481c4ca02f3ba53e69e1f43f73ff59307744ce05fa53

  • SSDEEP

    3072:p6glyuxE4GsUPnliByocWepjQ2d2jAhBHIWh1o:p6gDBGpvEByocWe3dFhBoWh1o

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (620) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-20_01917d8ef944c6fda4666f67b4927d46_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-20_01917d8ef944c6fda4666f67b4927d46_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:5132
    • C:\ProgramData\B68F.tmp
      "C:\ProgramData\B68F.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B68F.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5964
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5596
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5528
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7C2B3DF2-411D-4C67-99A9-C3815DE904DD}.xps" 133712654641510000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:5624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\YYYYYYYYYYY
      Filesize

      129B

      MD5

      9762ea82dd25dc819274124f36aa92bd

      SHA1

      258b96bfe1ed9241bdc9e8f121fe6c8e2db0e8bf

      SHA256

      2dba2b77820b7c39957be17bb3f54d823030f598ed622709213f9d79886c8d32

      SHA512

      e5ac75a05a38a4f560313f389c8084990ae6d8b741486689af408791aedc3d6cb2cb082dc23d8b27442736ac197bbd1e6121991787f926b8cc8d454c4c445d78

      Download Submit

    • C:\DKZkRSDld.README.txt
      Filesize

      343B

      MD5

      72b1ffaeb7de456483f491ecceadb088

      SHA1

      ee1953abc295245ab01f35a4a823883826bf2b41

      SHA256

      eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

      SHA512

      c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

      Download Submit

    • C:\ProgramData\B68F.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
      Filesize

      146KB

      MD5

      2ce44b9b321b1451edf191ede69c7eeb

      SHA1

      564b21c6382ec43b7dce0cafb99f3d8de3de0e2c

      SHA256

      be37dcb09609e8aae795092cf64ab8f1742527ae5518a21e857512eab0743122

      SHA512

      e382209309f0d44fe5fab0c5aa0b97c2e62ef2806da418fa8b0ed46ba640cac041dd1a9f82c91f57f04bc70f61fd1495b9c4e26ab18db5c6540f01c1f7002f69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{39D98CDB-C7AD-44D8-B4BA-93EA08C4BBF0}
      Filesize

      4KB

      MD5

      f8ae77ae689ab57ab60eabc82d0b1acf

      SHA1

      8ed42c5af4b482202ac05e9c1bd265edd2c63efe

      SHA256

      22001d299418250b00ec84188a4874f3ac71f6a044e63a2b85ce64d8e1bdc7ee

      SHA512

      c24090266c9ed44cf1762614ceb17134dab10f4da6c5b664d85221d7aed571ba2339ccd2c66e7c9e62f7a7b1cb37004fe0e955619953f7ee91f3d25648d1441e

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      aff5746ed00d33e117553b835a5a0ec1

      SHA1

      7771b17802823444e9736d07809c072eedf3fa79

      SHA256

      143a1a87096230e8f43f3fa388ac804cfcd4f6deb3ad954b8eb6a2b7d602b746

      SHA512

      c3304fc06f06b2051418d5ed1ceb4293dd36491eca290d65fbfe3078aa8e0206475d2035ec68820812e04ca9d97c668f89c54377dd6dcc88361b091694035d6f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      592dd7f726d40e631fb090a890fdee59

      SHA1

      26fa4f1023dd47778bfef78375463898a8f670ed

      SHA256

      1d6259eedac0cd92c7560e51151757dde94bb7c95830eb3adda16d38241a740a

      SHA512

      deb3140a79a85d3496fb60c7a07503779edfb9c1cb6f9013aba680163c9ce0aff74db8b25f7f1fb9d02fe91aaeb26dff0c0215cbedc110b19a293791d6095793

      Download Submit

    • memory/3496-0-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-2-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-2802-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-2803-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-2804-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3496-1-0x0000000002D20000-0x0000000002D30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2822-0x00007FF946610000-0x00007FF946620000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2817-0x00007FF946610000-0x00007FF946620000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2821-0x00007FF946610000-0x00007FF946620000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2853-0x00007FF943DA0000-0x00007FF943DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2854-0x00007FF943DA0000-0x00007FF943DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2818-0x00007FF946610000-0x00007FF946620000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5624-2819-0x00007FF946610000-0x00007FF946620000-memory.dmp

      Filesize

      64KB

      Download