Overview

overview

10

Static

static

10

2024-11-15...de.exe

windows7-x64

9

2024-11-15...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe

  • Size

    145KB

  • MD5

    8005b63da0a2688ea287976c6f943abe

  • SHA1

    2c84df5324d1044f2fba0385319d0248dc5beb4b

  • SHA256

    0b96b4946ea996ef7d79b7d2d4d5bf3506457f26a47e835492c53f587f0a6111

  • SHA512

    89077d40eaf1f3cd1940d5f26796fee7634e38d63870861b85002aa4b66412f7741980d7c587a45f795fc3b27b71adb19776b20dc06f5b70b5efdaa10171ae25

  • SSDEEP

    3072:P6glyuxE4GsUPnliByocWeppfpra9wpAm9bXFKo0bW:P6gDBGpvEByocWepm9mpj0

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (639) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3796
    • C:\ProgramData\F34A.tmp
      "C:\ProgramData\F34A.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5628
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F34A.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5160
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4368
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5F4B857B-031A-49FF-9D3B-230718EC1328}.xps" 133761470188910000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\YYYYYYYYYYY
      Filesize

      129B

      MD5

      c829c1a74bce2c766f4ad164c94fae9e

      SHA1

      8f334245260277af90fed4eb39168e0f4d231aa2

      SHA256

      c95fbb508e91b788ab86d19772773059db60f4400d29dc3ae03212ca841b3132

      SHA512

      85abcd0a457f35c5f85c637d470a0ec141cbf49d8e2f4eeacc9f51679b673d163cb50b92d062be292bf9e36cfb04181244110c6a5fbccbb5ade7985fc9263939

      Download Submit

    • C:\IPjaex13M.README.txt
      Filesize

      334B

      MD5

      88f6599d557ec2b7a12b3ab4faf3c364

      SHA1

      1bc917d0543deee57c7e13f7ed182c8692e69458

      SHA256

      781cf1f98ccd2cf18079967e28996a722e75fa28cb2ecc8b638e2efcdf751e8d

      SHA512

      d1633a186dbc849f8c056bd53df4b24f972f170cb4e602b487d89b9762ce78699cf148d70f62272e8e2d13888a73b38910b43c378af8d21102a3fd2e08731d19

      Download Submit

    • C:\ProgramData\F34A.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
      Filesize

      145KB

      MD5

      4c6fc9aa85535c6465e8999a4b5bab9f

      SHA1

      fdb06c49d86375480b36943b97015dc33ac1c1db

      SHA256

      960fd718c0a3c2ada4d5c604deb457391060db1b4cd2700796f5f82448036119

      SHA512

      8a0b1b136a173ba9ba70bdbb465a94c63c2cecdd91b5e3660844a7d414f508ae988a111b1e551f1d26728bade1f43b991397543d8a021c5166dc2876b48e62e5

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      350cac3b60c0ad35a63c88151ebdadb0

      SHA1

      46a7157d030dc2cd74b2fba2b90acd5b0ccd39e8

      SHA256

      f33889f5a4907fc2ccb3ec02b4c1cdc1672ba2b93d86a4ed99e8c213bb3f5bd6

      SHA512

      062988baa2bacc4fe10e10911da13d4cf614da6f14eee5a318920b8d0f4ca8a80e05082bb2fc0e5f6e22220650eabcb63be99b02191f8bdff4ae8ad73b1209ed

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      8f7de8386b244d7016649660fc787b74

      SHA1

      a0cbf9134ecc6db87047e196ad7e49b02fca6237

      SHA256

      434de5303e0e74d2e8be7bc9daa2aa03ccceb04f40eb4a526d4ef1f7970a99ee

      SHA512

      78ae13ee4434b8a5a4ef297f3a8a11ef5aa70201ef2444696b57e896376c83292ceb4fe340f23b73edbb52f57084e61a75489537de812f6d5b064e4040d88358

      Download Submit

    • memory/1744-2973-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-2972-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-0-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-2971-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-2-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-1-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-2985-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-2987-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-2988-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-2986-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-2989-0x00007FF845D30000-0x00007FF845D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-3022-0x00007FF843660000-0x00007FF843670000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-3023-0x00007FF843660000-0x00007FF843670000-memory.dmp

      Filesize

      64KB

      Download