Overview

overview

10

Static

static

10

2024-09-29...de.exe

windows7-x64

10

2024-09-29...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe

  • Size

    150KB

  • MD5

    8911139e0686509cbf44954ba2ba6675

  • SHA1

    f16aad9a562b1de55e33b2de23abaa7eb0a4a5c7

  • SHA256

    4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc

  • SHA512

    d20a28ac9987409dfb450740f904138e7ffb5ce16cb7ae13b29061b990136e472cef56427e35a337d07d100e6a6c3ddf08c82a6d402f97c468b73ad8c2d4f6a1

  • SSDEEP

    3072:AqJogYkcSNm9V7D5KbhIJ+2EE9ZzoZmT:Aq2kc4m9tD5KmJ0EnMZ

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\tMAXi4m5p.README.txt

Ransom Note
Hello my dear friend. Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours. Your data is encrypted Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us to this e-mail: [email protected] In case of no answer in 24 hours write us to this backup e-mail: [email protected] Check your e-mail Spam or Junk folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. What are your recommendations? - Never change the name of the files, if you want to manipulate the files, be sure to back them up. If there are any problems with the files, we are not responsible for them. - Never work with intermediary companies because they charge you more money.Don't be afraid of us, just email us. Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Do not go to the police or FBI for help and do not tell anyone that we attacked you. They won't help and will only make your situation worse.

Signatures

  • Renames multiple (614) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-29_8911139e0686509cbf44954ba2ba6675_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4356
    • C:\ProgramData\4DBE.tmp
      "C:\ProgramData\4DBE.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4DBE.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4732
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:3296
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{02727A24-79A6-41A8-85CA-35DD8798107F}.xps" 133720542597940000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:4496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\RRRRRRRRRRR
      Filesize

      129B

      MD5

      895670f5607d2ca1da669a1aacc8be13

      SHA1

      eb3704d71419945b0222d7dde42fe338af74bd4d

      SHA256

      91b922dce1dc758ecc346e18c98d961c10c2c21449090b45d1db2a6507ad72b3

      SHA512

      c1dedc5324c9f0d8acd9cb5eb6c3ea77d61e3544d920f741c36a1f8d473a110695a46f33093f77f9fd2a12e4d895ea0b368caef8607405500fd864a26d40997e

      Download Submit

    • C:\ProgramData\4DBE.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      150KB

      MD5

      15bb26890037cd8658a46d6461d71b74

      SHA1

      2bb41ef69a3183038bd646b62672900a5ac8b1be

      SHA256

      cba1971a249372f24cc5f8cf2991b7f3039679c46042a889cbc5890d4d2a196f

      SHA512

      d84f690383a64e7bde68ef5b8bdc39683ed333644394f6cf659e4758fa784025f36f238311bf6a81f62907d1c680704b77ffc88477b089190e7b541df0d8a752

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      14f90719134f3155c5403e6498a6595c

      SHA1

      049c3ff913611ca7bd07a3b5cd9747cd57399aa3

      SHA256

      ae2cb1e271661577c5e43db16646a0aff9047efe5cde57a5cca37e308aa3dc85

      SHA512

      e7212251ccdb5a91c478a0b6fd0a9370871e5fefed10f8c3c08b7e2a665a3b19ecdfe1e1a3c6165950f8b89ac030bbcb73fcd555e2e8b8e852306523d5b0b803

      Download Submit

    • C:\tMAXi4m5p.README.txt
      Filesize

      3KB

      MD5

      3b2c7f51fe80e142a7dbbf0d3565e398

      SHA1

      dc32f374357a8057bbe023e9e2ba9755b04388b3

      SHA256

      8ce7b3a993e3ab7bec11db06274026cc24cd6f04649db19e0b8a2e3c64177803

      SHA512

      0fe73ea135598b8ad13aa50b11e6ef82a2306e7bb66cf4f0b93747b64d233f42de049a32ff75b1bc315aa2b6f29c3524cfc467ba6782f2cbbbee526d39e88318

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      ecccf2ae57d1dfb0eab04a3f1280bda2

      SHA1

      7940e621f284666d91d9949d71ddbfda1a851829

      SHA256

      2acd364f569d96c1d122abccb794a64bf11a0fb24cb5e558974b50f7a6e5ce65

      SHA512

      31f407cc37145cf2d0ad6dba1cf89da277a429a67e97f8d7149dbc1992a2f336fbd53b4313ade16b7d3d393dc127884b2d111cd6b79a14cd063ddb402e9fea0f

      Download Submit

    • memory/2228-2942-0x0000000002A80000-0x0000000002A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2228-2943-0x0000000002A80000-0x0000000002A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2228-2-0x0000000002A80000-0x0000000002A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2228-2944-0x0000000002A80000-0x0000000002A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2228-0-0x0000000002A80000-0x0000000002A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2228-1-0x0000000002A80000-0x0000000002A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2959-0x00007FF7F1E50000-0x00007FF7F1E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2962-0x00007FF7F1E50000-0x00007FF7F1E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2961-0x00007FF7F1E50000-0x00007FF7F1E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2970-0x00007FF7F1E50000-0x00007FF7F1E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2971-0x00007FF7F1E50000-0x00007FF7F1E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2992-0x00007FF7EFDA0000-0x00007FF7EFDB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4496-2993-0x00007FF7EFDA0000-0x00007FF7EFDB0000-memory.dmp

      Filesize

      64KB

      Download