Overview

overview

10

Static

static

10

2024-12-11...de.exe

windows7-x64

10

2024-12-11...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-11_af1398f1ed01ca6264103405691c1eb7_darkside.exe

  • Size

    147KB

  • MD5

    af1398f1ed01ca6264103405691c1eb7

  • SHA1

    faa0ca77538c07e98ab62c68e12f477cfe319cb0

  • SHA256

    8e26b0b429c46d959aa0193685bdbe0ed0ff19a3a5bd316e976a99084d800bae

  • SHA512

    8b1ccc69a04123f535460729d4632c3120f298eb8c2fe4fcc2a914a9fdf9cc715bb54633248e9118dff3241469afdaa3f698317b4501a34f47541705ab049943

  • SSDEEP

    1536:lzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDnSlfefmViaPukTQfxeK1FqGa1v:mqJogYkcSNm9V7DnYWfiiarTmKDmOHT

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\1lGbHM0Gk.README.txt

Ransom Note
-------------YOUR DATA IS ENCRYPTED! -------------------- >>>> Write us to the e-mail and ask how to decrypt files: [email protected] >>>> Your personal DECRYPTION ID: 354FEE4 Unlocking your data is possible only with our software. All your files were encrypted and important data was copied to our storage If you want to recover files, contact the operator in the TOX application, enter YOUR ID 354FEE4 Add the ID 21402979683F7B36CF675B23D49021C26074512599459413C7FD573052A9902383D8957302CD of your personal operator as a friend so that you can start chatting. If the Operator did not respond within 24 hours or encountered any problem then send an email to our support [email protected] In the header of the letter, indicate your ID and attach 2-3 infected files to generate a private key and compile the decryptor Files should not have important information and should not exceed the size of more than 5 MB After receiving the ransom, we will send a recovery tool with detailed instructions within an hour and delete your files from our storages --------- Attention --------- Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. If you refuse to pay the ransom, Important Data that contains personal confidential information or trade secrets will be sold to third parties interested in them. In any case, we will receive a payment, and your company will face problems in law enforcement and judicial areas. >>>>>Don't be afraid to contact us. Remember, this is the only way to recover your data.<<<<<<

Signatures

  • Renames multiple (327) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-11_af1398f1ed01ca6264103405691c1eb7_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-11_af1398f1ed01ca6264103405691c1eb7_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\ProgramData\B886.tmp
      "C:\ProgramData\B886.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B886.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini
      Filesize

      129B

      MD5

      4e420d6670dc7fc740993807d0889376

      SHA1

      2824f2fd7e44b6916ad535156cca984bd973db4b

      SHA256

      09e385a8fd33cfca35d583840201733983039753c73205c18543fc00ff857fc2

      SHA512

      6410d0286f5549f73d5f736b09ea969801de4950c68adc23dc8c358fadc17af6b79623c9d113bdea2c70fdf693df8dd6c8b6a378e8007b1e4d32f4a2068b69a3

      Download Submit

    • C:\1lGbHM0Gk.README.txt
      Filesize

      1KB

      MD5

      62b70d1c1f0e369d876442e884f5cb30

      SHA1

      c1e6808f6a867c03010d0978bf8fd468d637c711

      SHA256

      11b3e376a6d123e88d2b39f7bed1a6c7f818ddf15ce32fb5a2cbb29932bfe321

      SHA512

      191a92f027b6100f1468847b8eb13a1dcd29c17860bba0f8a4645273c9fc6708372f57d2442d742f0daae696a12c7697982d267aff97b19b6a0fa6f6a8cca476

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      3e05db713db667ed00d8520cc35b87ee

      SHA1

      16ca62514c015b93a1408240241b49230a769898

      SHA256

      b2c27932eb2893041715444c62f1dee10285b52da867d6499df2feb223bc8780

      SHA512

      b7b91c4f7849021db20fbf1da423619a4999db2641cbfe1a80520e6b562904a056314ad019fcb9632a7f5c5e74d803a835548a148a565ae25aef72248603aa1d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\NNNNNNNNNNN
      Filesize

      129B

      MD5

      3a5b094dae553ce4f8c986b794cd59d8

      SHA1

      cf16b0960968a4d00860e1d7c1447730a96e5375

      SHA256

      cc6379ea72c965276ae4eb71ebe22eb0e55d2f5e41720d4c9f9dec155b7eed6a

      SHA512

      7b877749b8f9caa85eb6d83a6b1d71c3572be7fe5c5dd46fda8f4f0197ef5ce3b1992df06c6d2ecd6a4fd960bddc8b7fdb3a58f3d01936729bcef2692d882dc3

      Download Submit

    • \ProgramData\B886.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2532-0-0x00000000008E0000-0x0000000000920000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3004-861-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-860-0x00000000003C0000-0x0000000000400000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3004-859-0x00000000003C0000-0x0000000000400000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3004-857-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-862-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-892-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3004-891-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download