General

  • Target

    2024-09-22_ef8b996e4d7e84c179f8268f3d686195_darkside

  • Size

    146KB

  • Sample

    240922-necsvsxalm

  • MD5

    ef8b996e4d7e84c179f8268f3d686195

  • SHA1

    07057ff4fd122bca513bbce0cbaa1174d50caf01

  • SHA256

    d582110cd8a31d867e1a1eada4fb726acbbf960bed0aafeec854e455bc53403f

  • SHA512

    6c434febdbf2e57328a118d249d3a8ed736749671b605c9baabecbcafc4040ab10f0c0ce94f6f2551286fc213b4f88a6079271ff4971f524a36211b25f70b90b

  • SSDEEP

    3072:gqJogYkcSNm9V7DXW5I4KNGHsOqhNDvtdT:gq2kc4m9tDXW5fdqh

Malware Config

Targets

    • Target

      2024-09-22_ef8b996e4d7e84c179f8268f3d686195_darkside

    • Size

      146KB

    • MD5

      ef8b996e4d7e84c179f8268f3d686195

    • SHA1

      07057ff4fd122bca513bbce0cbaa1174d50caf01

    • SHA256

      d582110cd8a31d867e1a1eada4fb726acbbf960bed0aafeec854e455bc53403f

    • SHA512

      6c434febdbf2e57328a118d249d3a8ed736749671b605c9baabecbcafc4040ab10f0c0ce94f6f2551286fc213b4f88a6079271ff4971f524a36211b25f70b90b

    • SSDEEP

      3072:gqJogYkcSNm9V7DXW5I4KNGHsOqhNDvtdT:gq2kc4m9tDXW5fdqh

    • Renames multiple (376) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks