Overview

overview

10

Static

static

10

2024-11-27...de.exe

windows7-x64

7

2024-11-27...de.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2024, 02:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-27_12ee1481a91f84a0bc71b45aa00844b0_darkside.exe

  • Size

    156KB

  • MD5

    12ee1481a91f84a0bc71b45aa00844b0

  • SHA1

    309d2273d6875c14acb8976c429e022d9ed5a6ee

  • SHA256

    421f922658b985855a580ad3d6736c55817d252a9d6104c944786f7aae393b6b

  • SHA512

    e3293bc77e8177f7abc3a8b51ce05c20941735f9f3c9902201c8f7907529a25d3e1654704b7163324a6ed3b8604e6002ddcc7aa79ef2a8ec609ea548d160075a

  • SSDEEP

    3072:+DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368JmSLTFh1zgH3/W:I5d/zugZqll30SD1gH3

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-27_12ee1481a91f84a0bc71b45aa00844b0_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-27_12ee1481a91f84a0bc71b45aa00844b0_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\ProgramData\A316.tmp
      "C:\ProgramData\A316.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A316.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3140
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini
          Filesize

          129B

          MD5

          87680061c6a3680a467ff994b4bcccf6

          SHA1

          549a426fc135c3c6ab7baf51c8a728eba2c9b677

          SHA256

          d92827d86fd8af15698b4326394e348864b8e5e0e741386e183c0ee941887cc4

          SHA512

          6f2a70c1a8aac040bb9106180cafcd96700786e945725b66e74362816e81c932e9c2280d887d41759ebf1403bbab0b866ade737a3f9b6b89ef246fe0419cf2be

          Download Submit

        • C:\ProgramData\A316.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
          Filesize

          156KB

          MD5

          6a167c16c922d20852387d4fc266c6d5

          SHA1

          1924ba9bc90212e0be590c3c64cfa2942992c0cc

          SHA256

          2b1fbedac71a27aa1cf7ceae4b820cc9fc1c096475cd5ad265377e3f270eeeea

          SHA512

          ebca506f2a0aeb3b996f5cd96da9656ce587987cc89b063f14ae95383d2090672b26f1a067d4a6041a9d2d9438bb3357cbbf70fe75e1ac976aea891b13148716

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\DDDDDDDDDDD
          Filesize

          129B

          MD5

          c5b1a7ed3184dc7ca1cbd8c3d1e460a1

          SHA1

          9920e85829cf6570909a672d14f81caf692a4c6e

          SHA256

          8c68d96d3440ebd32a743d6d8d486217319e1c8f3aa16ec732da0993dc09e67c

          SHA512

          b5052149c02f636c6f86526efe78985a2dbb0ac750cb1f1ef0810e15cef0721537c9685c43ee24851e25c4cd6b37e7ab256c0c8b1057415639235ec8a76b13df

          Download Submit

        • memory/2212-2-0x00000000032C0000-0x00000000032D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2212-1-0x00000000032C0000-0x00000000032D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2212-0-0x00000000032C0000-0x00000000032D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3672-92-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3672-93-0x0000000002720000-0x0000000002730000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3672-90-0x0000000002720000-0x0000000002730000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3672-91-0x000000007FE20000-0x000000007FE21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3672-89-0x000000007FE40000-0x000000007FE41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3672-122-0x0000000002720000-0x0000000002730000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3672-123-0x0000000002720000-0x0000000002730000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3672-127-0x000000007FE00000-0x000000007FE01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3672-126-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

          Filesize

          4KB

          Download