Overview

overview

10

Static

static

10

2024-09-26...de.exe

windows7-x64

10

2024-09-26...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe

  • Size

    147KB

  • MD5

    0ebb815bbd3f1b249d4a86d18e5f064b

  • SHA1

    474fea9f172a6d6857a133755953330ae802409b

  • SHA256

    6fa257b42aa0e3323fbf6ca0026f331fe58447e22224d2f0ea8e533bd9eed096

  • SHA512

    a427c4d7ed3d9565c9051801ea6d38ffbd293b2dee0ad54e71b573bfee5030de4c9ca7132373ce90a051201d1c01e07990a877c07e5ab6c73017140e580a24ba

  • SSDEEP

    1536:8zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD4056A76O4xEwyamTS8GHViXqWB:zqJogYkcSNm9V7Drl7Z4q3S4XqWbJT

Score
10/10
defense_evasiondiscoveryransomware

Malware Config

Extracted

Path

C:\dZGlueXae.README.txt

Ransom Note
######################################################################################## YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. YOUR PERSONAL ID: iwy8hbK5HseAftoI3culO2J96rYqV1LNandZ4zQU0GmXPxkSDWM7EFgp Contact us, use the email: [email protected] [email protected] IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • Renames multiple (160) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\ProgramData\5D2D.tmp
      "C:\ProgramData\5D2D.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5D2D.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2408
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      547cde25c351bd15a133cd3d4445825d

      SHA1

      74a7da6ee63c53a906b6ecb992aad2625065df2f

      SHA256

      b713b6c0d177c38a644f0389ee3a8a6f9a7d62eca161c08e953b14d9456ed7ea

      SHA512

      ed4119d8815d2ba3260e2459e41f418a9267649dd032ef9b4985e8c0e30d04615f30285cfebe6915a4b42dc052611389e7cb03a5770b16cd4215c2cbc0bfbfcb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      938b867168788b54a8df029c45ef4776

      SHA1

      3441453db254b21cf732a1e61f89a184bcc4853f

      SHA256

      63a7367fe086b9bdbc837e6b779824966db5a2216d02e413ee357921589c805a

      SHA512

      fc00185f0b6b7ecf8f64ddbdba7070f7612dd514209b70a93bf2465502af8b02ddd0939e2bbc3aa3e806c17040df54548deb0369a2d3808af2ebf95bc709dd56

      Download Submit

    • C:\dZGlueXae.README.txt
      Filesize

      1KB

      MD5

      194200178a1b5be9df886d8b4820dc97

      SHA1

      6241b893856c6ff3b43ab900f06a1d34d52b23ee

      SHA256

      50f815a145695bc049ba880c4583dc3417a29b8a94613918ebefb0e5be16eb75

      SHA512

      c67d782579620c8438b4557b0f6a2c806880eba210ac034d2b46189bae7aea167c871582ce00adead3cd6341c5240cb6f820318e91d58a909550106ad6eba9bc

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      8e30bc2ca510317e2b3c7ffeb499d5d6

      SHA1

      e0ba6942d90a35bd1f35a3a19dffb756dbe721e4

      SHA256

      c2ebcdf724c62b6ec1151a2411dfb62ee3f600f1c699e66320f5d4159a5d9df5

      SHA512

      aa44dfa3e3fcb6cc60c3ab6a3af7e65862ef99ddd3f0075371633bcb32b8d9bd1b7cf84b32a1462c01aea2a854f9566c2272c29a705dcc5ce8bd8fdd17dc0fdb

      Download Submit

    • \ProgramData\5D2D.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1120-0-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1772-293-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1772-292-0x00000000020E0000-0x0000000002120000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1772-291-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1772-290-0x00000000020E0000-0x0000000002120000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1772-289-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1772-323-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1772-322-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download