Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
06-10-2024 04:57
General
-
Target
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
-
Size
146KB
-
MD5
e09dd7cca0c6c147ba21b4062e723c5b
-
SHA1
ff6333bdda824e4c13bcd13351bd4bb14aaeab11
-
SHA256
d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88
-
SHA512
603f45dc0b3302739ef6e4727572ecf64cf6f65c80af1e05aa3795fc9ce36849cf0f465bbf8a9f116c8fb3da8d91998ec5582b24503f4f43764e7b3543a94c4e
-
SSDEEP
3072:yqJogYkcSNm9V7DNDgSKet5JXglKso1WT:yq2kc4m9tDjlrJX3so
Malware Config
Extracted
C:\fB1SZ2i3X.README.txt
https://tox.chat
Signatures
-
Renames multiple (337) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\7FBB.tmp"C:\ProgramData\7FBB.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7FBB.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ce4c450c599b368e000c1c59dcf594fd
SHA1890422a9b219040c852a7e2c3fa73368e214be54
SHA256761212dd61560e1dbc49efc6a6c97db672c6fc5e4b5826a312ba5bc34b310198
SHA51296f037850d198dc108ba1b136068fe14f8ff95e35e9dd6148c4141e518838bd1a31f376305325227135f2f86cf14755188fc93cf2ffb6f4590d7ff51483ffa0f
-
Filesize
146KB
MD5270e5fa8f8a5ca56af6b36b95a00622f
SHA1a6eb06a4b317c1c38d56657d6bb7105c6bbf46fa
SHA256a0e51af30f42606537257ba5e9e14c95a34b8c648f394fce0f67a2587b7db2e2
SHA512a34d3e520c6277b8b2b4d714102382abed250bdc27d46049c0f90efb3330f6ff9910fe2e579b98665066308116cbf8c952250474c56f85af5d863cda7ffbaec0
-
Filesize
1KB
MD570344773c49f18010dabfe8a250e2830
SHA12df86a1c8180b77263424f919b57ca16bf614b65
SHA25638330e8cffd414453eb8c943e9c11de1fb617aed60ce7f9bb47b7f963ebabd31
SHA5124a214e98f1e3408f04af297ee278861adc8815fcb4deb45737bc0d024e46f4affe8e9c493f4ea6d6e98800a8c0a5b4b0359ca5508e6b217e053b60ea47acb561
-
Filesize
129B
MD540188a718bcef1d3de4c1237b5ef5dc8
SHA1776ed946f955459efb8b7de27f8042e2c97328e7
SHA256c5a0478c811d03d13ba0f45da82da76c9ecf7809fe53002f3ef56b4920537c59
SHA5123d984420baee9b822db856e6c66f1925c1d6e998031fd4eb8674a6adc6419d27e9137b058033d64d9a95f1f42d36d8e6b79678dc3386a987b54e24f47f345c0a
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
12KB
-
Filesize
28KB
-
Filesize
256KB