Overview

overview

10

Static

static

10

2024-09-24...de.exe

windows11-21h2-x64

10

Resubmissions

24-09-2024 02:38

240924-c4vjeswflc 10

24-09-2024 01:36

240924-b1m5hawbke 10

Analysis

  • max time kernel
    66s
  • max time network
    42s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-09-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-24_8f07589938ea42db794ebef25c755965_darkside.exe

  • Size

    147KB

  • MD5

    8f07589938ea42db794ebef25c755965

  • SHA1

    aa6f9576dfc56a6fccb37d9e70ed0bb441e084e8

  • SHA256

    8cdabda0c32376426e32048c867b7d66d9df6a3f0da53baef67e1a30abd444b7

  • SHA512

    79e553062ea5e4de34245bc9e8e6a26db2823cd12d51995e401ebfe47ece36a0a7819a2cad79bf14894a1ca30c9a3587a6101b7e8c3ae1432351deebe8fd86e8

  • SSDEEP

    1536:ZzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDYediJW5QdpkLMuAkHiWIlqUyz:iqJogYkcSNm9V7DFEW5QAQrRW2qT

Score
10/10
defense_evasiondiscoveryransomware

Malware Config

Extracted

Path

C:\LOyx4shPX.README.txt

Ransom Note
######################################################################################## YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. YOUR PERSONAL ID: BtVU0r1vpQsdlbLPcJmi8jToR3hqNAaz6fZuMx9gH5kyEOwXYG2KeCFn Contact us, use the email: [email protected] [email protected] IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • Renames multiple (181) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-24_8f07589938ea42db794ebef25c755965_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-24_8f07589938ea42db794ebef25c755965_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4712
    • C:\ProgramData\DAE0.tmp
      "C:\ProgramData\DAE0.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DAE0.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5240
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1532
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{84C42661-703D-4814-B5A6-9F87CFE5B692}.xps" 133716191113740000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2508
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:5580
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\LOyx4shPX.README.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1735401866-3802634615-1355934272-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        3756c8ca87bb18fd450204ab12b07143

        SHA1

        2dca455f55cc57b27685c62bc4970de9e58fd9ca

        SHA256

        2bf89b544ad884a0036aa0d8ecb2198f2c35cf20e0c7c24ca58a6b84cfa02ad0

        SHA512

        eb903fad9de5c01eef7697598377c8319490eecb6d012ad31bd33bd90c87e390132bbb5c4a98139aef1ba47fcf4f32e2b4af03a8df68ff82e72d6ba94f78f4f5

        Download Submit

      • C:\LOyx4shPX.README.txt
        Filesize

        1KB

        MD5

        88cf2517f115408ab7aed8c749642095

        SHA1

        18d3e6939413777568c48969d034325dac990826

        SHA256

        db34f0ce8a7806f24be30cbb2fbfe4b1d2a54fc0aa15f1a6bb0bb8732222ae77

        SHA512

        027517ca25064985f7f085704e0a77622d86cdc390e386ebfef8f758b6b0bf4f9dad9f088478900a6d399f8bb95d0197949ff62b71f2815cbdecb7909f43aad3

        Download Submit

      • C:\ProgramData\DAE0.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
        Filesize

        147KB

        MD5

        3e31fd3ca4bf68fb61565da93366c770

        SHA1

        a60157a46ff508405dda1f97850de532a7799c1e

        SHA256

        f5e5805e578e880eb41ddf8f4fe0c4fffd4a00abcba71bda35e87ee99fb18311

        SHA512

        d1712231bf3682f42e0cae9bc96b1af91b9296cb96ec38cc73759bccd35b1226c5ce41e2f2e938f8aebb9408810adfc4e02f1c2ed4f116394f3391e997fab191

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{E617ADA7-73BB-4BEF-B95B-B04443C86377}
        Filesize

        4KB

        MD5

        544f5700bf86b3f161ae614bb253d85e

        SHA1

        831b3c5b7d5399ad712970f1f568b5014a487577

        SHA256

        f5d8d2b104adc40e1765dbc65132747053e145c9a48f88be69ffe9ba5f84e63d

        SHA512

        47013eb6e23595a439f5b62f83c6baed7316f1762f3752335ad8e531cc54e718da21c931c3bcd1fedc106e69a41ef4859a82421a847e3ba61b1571828b73111e

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        8c291f5a535d43ef24542758082b8bbd

        SHA1

        047c7e43b859516fae083528bc0e9b75546d4679

        SHA256

        7679796f1cfbfd35fb6ae6ce2d21f9d5d8e2ff26591ecbb534db31575fd94556

        SHA512

        63e22147a18ff45d772404fe09ec2a36da0c5b1cd593cd9fda0a0fcfcb89f3dd8080b619b895046e057e5ad77e93d96b7712a2d354c38956831b6bf8bc94a7e0

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        161b224ec16021c98058c29ee26355b5

        SHA1

        a92a4bc599c62838ded0142be49e3126ff3f7374

        SHA256

        90f04c7fc98bc028b31263105636e30565d9dea29d62985db575fe3732852190

        SHA512

        8731521209c86f06d20dab2412b3a4b495822efebb9c9ffd695907c44297d98ace3c4d47e36d3ef39a770867e7d5dfe11d68076e91c8c263055deca326a6473b

        Download Submit

      • memory/2508-354-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-410-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-412-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-350-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-413-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-411-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-366-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-367-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-353-0x00007FFB114D0000-0x00007FFB114E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-378-0x00007FFB0F0D0000-0x00007FFB0F0E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-379-0x00007FFB0F0D0000-0x00007FFB0F0E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-0-0x00000000033F0000-0x0000000003400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-1-0x00000000033F0000-0x0000000003400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-330-0x00000000033F0000-0x0000000003400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-2-0x00000000033F0000-0x0000000003400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-328-0x00000000033F0000-0x0000000003400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4012-329-0x00000000033F0000-0x0000000003400000-memory.dmp

        Filesize

        64KB

        Download