Overview

overview

10

Static

static

10

2024-11-15...de.exe

windows7-x64

9

2024-11-15...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe

  • Size

    145KB

  • MD5

    8005b63da0a2688ea287976c6f943abe

  • SHA1

    2c84df5324d1044f2fba0385319d0248dc5beb4b

  • SHA256

    0b96b4946ea996ef7d79b7d2d4d5bf3506457f26a47e835492c53f587f0a6111

  • SHA512

    89077d40eaf1f3cd1940d5f26796fee7634e38d63870861b85002aa4b66412f7741980d7c587a45f795fc3b27b71adb19776b20dc06f5b70b5efdaa10171ae25

  • SSDEEP

    3072:P6glyuxE4GsUPnliByocWeppfpra9wpAm9bXFKo0bW:P6gDBGpvEByocWepm9mpj0

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (357) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\ProgramData\12A6.tmp
      "C:\ProgramData\12A6.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\12A6.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2368
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      6b8c78b32b1bd3978f2e4924f7d7f84c

      SHA1

      2203a724f075d2611d94830713515bd965a2dc7f

      SHA256

      d6d86ec3925a24b87d1f7abe787c7b64f033af45e026f945cd29e0eabcdeeff0

      SHA512

      b98b022b57d8eb98027fc5c14505caea21c8c6447eec5a936e287693e52947b507b6e4f156f28a030c1aed84350bace5c33e30b9aef72fb283a2202841f39bb7

      Download Submit

    • C:\IPjaex13M.README.txt
      Filesize

      334B

      MD5

      88f6599d557ec2b7a12b3ab4faf3c364

      SHA1

      1bc917d0543deee57c7e13f7ed182c8692e69458

      SHA256

      781cf1f98ccd2cf18079967e28996a722e75fa28cb2ecc8b638e2efcdf751e8d

      SHA512

      d1633a186dbc849f8c056bd53df4b24f972f170cb4e602b487d89b9762ce78699cf148d70f62272e8e2d13888a73b38910b43c378af8d21102a3fd2e08731d19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      145KB

      MD5

      b98b5bc342b41f973787b82d440def39

      SHA1

      2d25f5345bd34a998a5b931c4b5a80c3aca5fcbd

      SHA256

      85a37399f7dbfe1a22baa59c921bd3c3717831ea57f0cf0ef8ca02ab66c67fd4

      SHA512

      6b3e869ab4f741a73c321f16e63fa03d2ac01b7bda715b281692c861c509ffe791e2c9199c05161c29994a6e6b0f252589bd74f239649ce9493e1a1d863a69bf

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      e45d5c5fc9e71477d4e0114b88a1fb36

      SHA1

      061f0a84ad71e894276a787f134c18d2a8dc46bb

      SHA256

      e99ac1938d777196780971108ecd2c9aae3d091749295f4b8d2ceb44a7a9046a

      SHA512

      19cf0918def20d9c36917fed78371dc3657402312fc68f9bc5fa00971cb1bee7b88eccbf5e5d191f1c8559f52968135043aa790e0b6692baf2d293a4e40ddac6

      Download Submit

    • \ProgramData\12A6.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2484-892-0x0000000002100000-0x0000000002140000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2484-895-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2484-894-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2484-893-0x0000000002100000-0x0000000002140000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2484-890-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2484-925-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2484-924-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-0-0x0000000002040000-0x0000000002080000-memory.dmp

      Filesize

      256KB

      Download