Overview

overview

10

Static

static

10

2024092989...de.exe

windows7-x64

10

2024092989...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202409298911139e0686509cbf44954ba2ba6675darkside.exe

  • Size

    150KB

  • MD5

    8911139e0686509cbf44954ba2ba6675

  • SHA1

    f16aad9a562b1de55e33b2de23abaa7eb0a4a5c7

  • SHA256

    4f395d7d4d5c2578f957070e4b0acc6d4bc2d0761f39258e990f2070bd3db2fc

  • SHA512

    d20a28ac9987409dfb450740f904138e7ffb5ce16cb7ae13b29061b990136e472cef56427e35a337d07d100e6a6c3ddf08c82a6d402f97c468b73ad8c2d4f6a1

  • SSDEEP

    3072:AqJogYkcSNm9V7D5KbhIJ+2EE9ZzoZmT:Aq2kc4m9tD5KmJ0EnMZ

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\tMAXi4m5p.README.txt

Ransom Note
Hello my dear friend. Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours. Your data is encrypted Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us to this e-mail: [email protected] In case of no answer in 24 hours write us to this backup e-mail: [email protected] Check your e-mail Spam or Junk folder if you don't get answer more than 6 hours. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. What are your recommendations? - Never change the name of the files, if you want to manipulate the files, be sure to back them up. If there are any problems with the files, we are not responsible for them. - Never work with intermediary companies because they charge you more money.Don't be afraid of us, just email us. Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... What are the dangers of leaking your company's data. First of all, you will receive fines from the government such as the GDRP and many others, you can be sued by customers of your firm for leaking information that was confidential. Your leaked data will be used by all the hackers on the planet for various unpleasant things. For example, social engineering, your employees' personal data can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. On another vacation trip, you will have to explain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your accounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances. You would later have to prove in court that it wasn't you who took out the loan and pay off someone else's loan. Your competitors may use the stolen information to steal technology or to improve their processes, your working methods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won't be happy if your competitors lure your employees to other firms offering better wages, will you? Your competitors will use your information against you. For example, look for tax violations in the financial documents or any other violations, so you have to close your firm. According to statistics, two thirds of small and medium-sized companies close within half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with the customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a ransomware buyout by a factor of hundreds. It's much easier, cheaper and faster to pay us the ransom. Well and most importantly, you will suffer a reputational loss, you have been building your company for many years, and now your reputation will be destroyed. Do not go to the police or FBI for help and do not tell anyone that we attacked you. They won't help and will only make your situation worse.

Signatures

  • Renames multiple (626) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\202409298911139e0686509cbf44954ba2ba6675darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1172
    • C:\ProgramData\BD17.tmp
      "C:\ProgramData\BD17.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BD17.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4608
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4644
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3E6EA264-D3D0-4D91-8BD6-E0312BD20D8B}.xps" 133720966447600000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\GGGGGGGGGGG
      Filesize

      129B

      MD5

      06b6efba7364d3356aee37ea5e4dd1d3

      SHA1

      68e8eb6f2b8d33c323fa9f98f396f917e50f183d

      SHA256

      cbb2f9090bf884d6ce5fdae24aee25d012ea581e1c55fca0c3065617b4844af2

      SHA512

      9c463af28c73e6ca8985d4125c7ad5aee5dca6e051e760198bea19d370df7ee62548313313b4c850afde0547843d2625d2a2b399652b1e97a40863e1edcecc0c

      Download Submit

    • C:\ProgramData\BD17.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
      Filesize

      150KB

      MD5

      28b70086ebf5147fe3dbddd469d57068

      SHA1

      88231a9adfe3aa72f5ae05a8e13b51db924fb531

      SHA256

      5b45d424926521823c61b190517c74b5afe8c83947a0b0c13f36f41d14a9d67d

      SHA512

      974506416af6167f25971af898043e498fb32fa11f1431babf2096308a9a8d2696055bff6aae89addaf3bf6248f6b65b403eb3e532c8515d71b7e14e3552ab46

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      b1aca1e814a114d49fb9feb20e896734

      SHA1

      c124dee2c037e0a218503ae0572d2de17576a09a

      SHA256

      91ab3856b0c00776978fbefa5e2b703890c4a94cfb537796dea3c0219a7ada91

      SHA512

      904f109aabd218054f48d3a81dc55899311a6c3997b24d85d7928360c3d2126db272682ba43d729f55276d631484489ee54375c77cc7d1150bde23728e2b7237

      Download Submit

    • C:\tMAXi4m5p.README.txt
      Filesize

      3KB

      MD5

      3b2c7f51fe80e142a7dbbf0d3565e398

      SHA1

      dc32f374357a8057bbe023e9e2ba9755b04388b3

      SHA256

      8ce7b3a993e3ab7bec11db06274026cc24cd6f04649db19e0b8a2e3c64177803

      SHA512

      0fe73ea135598b8ad13aa50b11e6ef82a2306e7bb66cf4f0b93747b64d233f42de049a32ff75b1bc315aa2b6f29c3524cfc467ba6782f2cbbbee526d39e88318

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2718105630-359604950-2820636825-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      f2e79d80f412c90e84167969861836b5

      SHA1

      7e53e6fa90577cead61aa77efe97a281b551749a

      SHA256

      41a312a722e69fa33cc3b56a3e9e6ebef3597985b608666010129f64d38aa1a4

      SHA512

      f6915955bbb2b41dd1c86f8c09a46be2a8327df5543d450a83834ad93bae52292274d390edd023ad15d47c4a8f1e9da478c019e43dcfeef1deeab8ae44f2da65

      Download Submit

    • memory/3064-2955-0x00007FF892270000-0x00007FF892280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-2953-0x00007FF892270000-0x00007FF892280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-2956-0x00007FF892270000-0x00007FF892280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-2957-0x00007FF892270000-0x00007FF892280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-2954-0x00007FF892270000-0x00007FF892280000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-2986-0x00007FF88F910000-0x00007FF88F920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3064-2987-0x00007FF88F910000-0x00007FF88F920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4000-2936-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4000-2938-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4000-2937-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4000-0-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4000-1-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4000-2-0x00000000031B0000-0x00000000031C0000-memory.dmp

      Filesize

      64KB

      Download