Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 17:25

General

  • Target

    2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe

  • Size

    147KB

  • MD5

    2827781d295d54cdb5d199c19aef469d

  • SHA1

    308b01ec5ba7e3283353bb7cdbf85010017f99e8

  • SHA256

    d2468b77968df53b4335668c1a5313dd007d9ab528541bab28f74b4f170988fa

  • SHA512

    4afdcf585fb43e5001c77b50377f1d4c9dc2ab7925dceb1ed552e112bce6ea3ec122d18f3c08efb5a5b2e2b7fbf7cd396e53f025d5e7d5f5f3f7d69b8e73e334

  • SSDEEP

    3072:36glyuxE4GsUPnliByocWepZaGGtgp8FDJ94dElJnxB:36gDBGpvEByocWe2xZFXhbnz

Malware Config

Extracted

Path

C:\FIPNplZX1.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 057A7C74C1AE5F49B05B656D480D0B9B Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2024 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Signatures

  • Renames multiple (352) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\ProgramData\CA32.tmp
      "C:\ProgramData\CA32.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CA32.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3020
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini

      Filesize

      129B

      MD5

      2be621f525d74cb972d5f7abdcf5e41e

      SHA1

      962073f255caa73e589f7004211314dbfd18d051

      SHA256

      b4c44a08bf39ad780b3989a88d75dc609efbe8b0ede0ab1c6d4fb94e5b803ed8

      SHA512

      aeea7f487fbb414630bf2afcb59fa130d51dc21ecf4211df9e1be4005901fae5ab7b3302e8d6c68b02a85a0978aaeae30d54d571fd1d2a5deeeda2692982dd8b

    • C:\FIPNplZX1.README.txt

      Filesize

      1KB

      MD5

      c3803489d648c667e76f7e69bbf99425

      SHA1

      923be0e99a0d0d1e7c74d25629a4bceae1beecff

      SHA256

      ab2faed7f50018bcb6759604ce44dfa0def3c0ac5ce666bb1ead807cca7f4e8a

      SHA512

      26ae96dbf3f3864f8a512c68e9716b597ad0ae663fd2c36085e76cb25c1af35e3bde9ca74579c417f66a9889264292de18650b5123edc7fc92e6a9df7cc372e7

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      bbf94c46ffdeea57bf36cc4e4bbdbd15

      SHA1

      6e163036d723a9670e990edb08e91304438424c7

      SHA256

      a6706123ae218fe0fbd5c684717bf90280278284c2cc14ef2cab8a8186715d1f

      SHA512

      3432729d210e42743946f5e7bca9b9a49ee96cc3fb6ab99d37cf4e929d942516a451a5ee6740a75609acb24c5ace7dbf678b34e6751a3883a322afc13b16f808

    • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\EEEEEEEEEEE

      Filesize

      129B

      MD5

      c3c5a2a04a62bb20e7031689b12c62cc

      SHA1

      9ee01b340013a453a83e01c9f40fde3b508abafc

      SHA256

      609af5fad29309300e0273639b50d63d85967311e2c441bcd3f5e1cc65946ff2

      SHA512

      f3d647bd571ab7b1a68459dcab449c9a78049d7d7a03584d6950675f361205d9991f844c98ac624dbbb05ee476aba27da10545efc766a66d1db9e29e2b256a97

    • \ProgramData\CA32.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/1588-887-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/1588-886-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/1588-885-0x00000000002E0000-0x0000000000320000-memory.dmp

      Filesize

      256KB

    • memory/1588-883-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/1588-884-0x00000000002E0000-0x0000000000320000-memory.dmp

      Filesize

      256KB

    • memory/1588-917-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/1588-916-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/2372-0-0x0000000000350000-0x0000000000390000-memory.dmp

      Filesize

      256KB