Overview

overview

10

Static

static

10

2024-10-10...de.exe

windows7-x64

9

2024-10-10...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-10_a7be144ff0b871ddd45e1e0bef06faa6_darkside.exe

  • Size

    146KB

  • MD5

    a7be144ff0b871ddd45e1e0bef06faa6

  • SHA1

    811797d3e0ce7c5ed76ff656156a2c066f306032

  • SHA256

    22a164ed481ba88df26ce7e819f2240d7fafa5b6ee2cd2993cb5fae3d566be7f

  • SHA512

    caeec8ed5080f00fe1134b968c81f13660ac1a9312d1f151b676f2a0b3670b2c0440e00c8a5e398d91707be5989d34e547ff3d5b4facbba81705c41f52bb3367

  • SSDEEP

    3072:46glyuxE4GsUPnliByocWep0AMmr7fTP+Gldf:46gDBGpvEByocWeRMa3P

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (355) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-10_a7be144ff0b871ddd45e1e0bef06faa6_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-10_a7be144ff0b871ddd45e1e0bef06faa6_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\ProgramData\4CC9.tmp
      "C:\ProgramData\4CC9.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4CC9.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini
      Filesize

      129B

      MD5

      d432709e12b236bc20429521da5baad7

      SHA1

      b6d8450d92446dcbbd99ff3093da0b4a1c396792

      SHA256

      da585f15c24f48370b7116e0522b5930c688c936eabf2dd6b7a79607bfd28c93

      SHA512

      788208c0b49d6fc8aabb9431f0ee31f22ecbe3f269cc60ece76d8366a09ceee1b643a34739ae5d67457829eccaa8e17631f8bc96d4078c15eeaa33c069ee7303

      Download Submit

    • C:\OC9oMrMV8.README.txt
      Filesize

      343B

      MD5

      a8864aa0987b12bc59008a02c3ddda88

      SHA1

      54327dba296f734aae7ba65faf0b3dd8cb73b714

      SHA256

      168c71031668b64e0ccf26e81353f6eacb3599edbaf62f7aa62c55b8075a5a8f

      SHA512

      5a94b41a4f74354978c32dbe18d505bda8db0a0195f1df1749f81478c0bc0e022b744972f0c491a33b595fc9b21c7b5b59252ec5451b14cf15cbb6c936954dd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      a5775dc6f523fb7266183e6982964371

      SHA1

      693b8bf569036f5527b250a78db94e863b1a8725

      SHA256

      56df7fff0f241fc5523cee59d1059374b3ec7f371adbc58ff7390263cb2a8483

      SHA512

      cf1d418b19ff4478452e8b351582a193896636b4fd7d0cdb0f7a6c4e2dfcf97fcd0bcb59286a821d6af85134a416310f37a6dbd2902174bbdefc3215e3c67508

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      1de3d48a73396a9ca1f0edb3dbbdabfb

      SHA1

      be3d3f270da3ba1a4b947b93d36106a9855c07fd

      SHA256

      453ebe91d5a47d842c4bc01a47e54c3ad8e5c5b2a352e56bdb80c836a7f69ab0

      SHA512

      851d9064e66faafd6f7163d740667458b2a4fe6dca15ad4bf9161fb25453e8ddaa1f4cbf288a3be3108cd4f5c34788570ebbe3c251f46370b124d973b2ec68bd

      Download Submit

    • \ProgramData\4CC9.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2292-890-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2292-891-0x0000000002300000-0x0000000002340000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2292-894-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2292-893-0x0000000002300000-0x0000000002340000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2292-892-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2292-924-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2292-923-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2668-0-0x0000000000B30000-0x0000000000B70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2668-1-0x0000000000B30000-0x0000000000B70000-memory.dmp

      Filesize

      256KB

      Download