Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 04:31

General

  • Target

    2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe

  • Size

    145KB

  • MD5

    b2cb742a43762106fc03fa1e26fd4f68

  • SHA1

    aef4e9199b06b835b6e677c0910d3ed6fdf96ef3

  • SHA256

    f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611

  • SHA512

    d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975

  • SSDEEP

    3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD

Malware Config

Signatures

  • Renames multiple (604) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:388
    • C:\ProgramData\D2E1.tmp
      "C:\ProgramData\D2E1.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D2E1.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5700
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:764
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{E0CAD3EF-4C28-4BF0-A005-E936E1F6341B}.xps" 133758595220990000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:4924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\YYYYYYYYYYY

      Filesize

      129B

      MD5

      0b61c2bf8d32ea0459af910ff2aa98e6

      SHA1

      f99f334d9930653e7185751c4afcc70ef816dc4c

      SHA256

      7f5b22c983b25721513821ac3ee6fd34b7a3106dd0bb7e53431d8e9226540c7a

      SHA512

      4f296ec662a47f2a5a0cdd3a03942fbfc802ee94e65b5e54adb524e4acc44acae0d3a36ab8c8da78d08aee542db342e134601c1e98eaf49550518b5e1188dfbe

    • C:\BNzPckH0e.README.txt

      Filesize

      93B

      MD5

      eaebdbc14b3c2ecdcec757fc361f5589

      SHA1

      02ec5589c9f3c671c464671faaf1b8343d849490

      SHA256

      0f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da

      SHA512

      14f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f

    • C:\ProgramData\D2E1.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      145KB

      MD5

      080195123dd27d8bb0ba212d1d55f1b1

      SHA1

      b7cdba90000a52d24585c38b181dadff3c9b4b64

      SHA256

      c5ced65e386a9c97311fb9230e42623185297d88253cf9174a672c93540a35ca

      SHA512

      ef401b17934d5aaa113f0085275ddc545c06ce1d042f66a78f6516bc15e05a6e08408870fb4de64a825435b3dc4931a66e50de44c7fee7f1112ed932b18227bd

    • C:\Users\Admin\AppData\Local\Temp\{988DE87D-A002-4D68-B406-5E1385321AB3}

      Filesize

      4KB

      MD5

      fd77a1563af98cbf4f347f3d018ab184

      SHA1

      8c1afddb548aca67684866e6f3d03991cf75a68f

      SHA256

      ad135c6f54c1c86e9c117beaa2d53eef9183fa35b87bc117d756618af54dd8bb

      SHA512

      79a36e9d29d62acce57c4ef37550da21c6ecabc66a14ca05df4c8bb83336d826fc8d1f174078c66d753b24314de9b1ddda6eb559db1880d567db2acb0490a1c8

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      2fa34e311bb1e8e10786ff00b28cad68

      SHA1

      0ba4b9035e758363d8062b213668349dbfc92802

      SHA256

      ab8c482157c21d3467ac440fb12efdfb1873187745c5e0857c74e6f439ae1acb

      SHA512

      4fca31b76e95deebd5c3aed765a9f2841df3244e3eb71dc2b2ad7234d66ff9b9d81c32ab2a4b7e1e4365e89a298a9565b56c61d9250a4405a2b323ead23d1619

    • F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      dace2adc5442e3b94a636eecad351683

      SHA1

      6d95b37f6fbd9e20239021a7c931cdfe3ea17192

      SHA256

      bc01512e8f156e49d4a059cb55fb3469ae50334de71b5b96ab921b5531b774db

      SHA512

      8afaaa521c72008b370b5aca6c87312d3e54d4f4b944a5285a042b48b68681ac51064fa0de92850c11f333ee62743bd8ab8c85e9e0cb3580c71b210c960799c4

    • memory/3024-2-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

    • memory/3024-1-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

    • memory/3024-2789-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

    • memory/3024-2790-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

    • memory/3024-2791-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

    • memory/3024-0-0x00000000032E0000-0x00000000032F0000-memory.dmp

      Filesize

      64KB

    • memory/4924-2804-0x00007FFE88430000-0x00007FFE88440000-memory.dmp

      Filesize

      64KB

    • memory/4924-2803-0x00007FFE88430000-0x00007FFE88440000-memory.dmp

      Filesize

      64KB

    • memory/4924-2808-0x00007FFE88430000-0x00007FFE88440000-memory.dmp

      Filesize

      64KB

    • memory/4924-2840-0x00007FFE85EA0000-0x00007FFE85EB0000-memory.dmp

      Filesize

      64KB

    • memory/4924-2841-0x00007FFE85EA0000-0x00007FFE85EB0000-memory.dmp

      Filesize

      64KB

    • memory/4924-2805-0x00007FFE88430000-0x00007FFE88440000-memory.dmp

      Filesize

      64KB

    • memory/4924-2807-0x00007FFE88430000-0x00007FFE88440000-memory.dmp

      Filesize

      64KB