Analysis

  • max time kernel
    91s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 17:25

General

  • Target

    2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe

  • Size

    147KB

  • MD5

    2827781d295d54cdb5d199c19aef469d

  • SHA1

    308b01ec5ba7e3283353bb7cdbf85010017f99e8

  • SHA256

    d2468b77968df53b4335668c1a5313dd007d9ab528541bab28f74b4f170988fa

  • SHA512

    4afdcf585fb43e5001c77b50377f1d4c9dc2ab7925dceb1ed552e112bce6ea3ec122d18f3c08efb5a5b2e2b7fbf7cd396e53f025d5e7d5f5f3f7d69b8e73e334

  • SSDEEP

    3072:36glyuxE4GsUPnliByocWepZaGGtgp8FDJ94dElJnxB:36gDBGpvEByocWe2xZFXhbnz

Malware Config

Extracted

Path

C:\FIPNplZX1.README.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Your personal DECRYPTION ID: 057A7C74C1AE5F494AF581597CE2AF09 Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram: @somran2024 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.

Signatures

  • Renames multiple (655) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-16_2827781d295d54cdb5d199c19aef469d_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\ProgramData\EAEC.tmp
      "C:\ProgramData\EAEC.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EAEC.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\MMMMMMMMMMM

    Filesize

    129B

    MD5

    21a0f795649b089838f23898fa813c51

    SHA1

    37f3c80b480d204b4e7a71cdb81bad9eead6e1aa

    SHA256

    8574142313da120b3627bcc41aba84f2065bd87d1abb0528bf96a100ab0ebcb0

    SHA512

    c5d53e05ec856451c561702726599c175ddf24dcad982f272184bb8a7acf6885638233e0f7f0a364c492849423e53d256f1a28b879b5cc881226790177d31b56

  • C:\FIPNplZX1.README.txt

    Filesize

    1KB

    MD5

    3d7996ed6d089e5a434d4afe24cf1808

    SHA1

    c2cfef486c4a0879a36d077a1eba3bfe80b82935

    SHA256

    9a0f2c039c097d56e0cbbf7a9b04ee513106a329492d2d2a31f3a8a1ad2ea871

    SHA512

    6deb285ebb0a5fc8b0a5a3f89302859d9827cbfe4ef1e89024e19ab091a4736b0354a1080a622bb066055fed3e3e14c0a5f320b77b186ab506603a630fbae19f

  • C:\ProgramData\EAEC.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    Filesize

    147KB

    MD5

    b0d263501654da40b2854130efe5d694

    SHA1

    f501cb18b8f894013ec11e341d5b6790e93895ae

    SHA256

    f7321c2b6d34446b7d106f92473b9ac495ae447a6719a4673a7e8cd9245c7853

    SHA512

    2d3d0acfc1f4f27bb7fa36fbcb0df8edc9f876d02366ba5d92857e74d156bc4be07cdd4a0eaad2dfe1353e945df6812f240283fab03b6b7d1624f664a703a5d2

  • F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    10cda3bf1c2c33971323d1004c200e53

    SHA1

    aecdbef1cdefed4af35d8a5f11d2bc72e510f5c3

    SHA256

    938e6d66ceea2718141f8b9bda403b181948cfde11f6dc85211a79a798c5de58

    SHA512

    b7eedc8df78558a3ae5e6f96b32ac7146fcad317a4eba9309400571745ca307005578ff383d0b888ed754948feeca34f0261e48fdcb05f6e499d32604b361c55

  • memory/3116-3001-0x0000000000E30000-0x0000000000E40000-memory.dmp

    Filesize

    64KB

  • memory/3116-3003-0x0000000000E30000-0x0000000000E40000-memory.dmp

    Filesize

    64KB

  • memory/3116-3002-0x0000000000E30000-0x0000000000E40000-memory.dmp

    Filesize

    64KB

  • memory/3116-0-0x0000000000E30000-0x0000000000E40000-memory.dmp

    Filesize

    64KB

  • memory/3116-1-0x0000000000E30000-0x0000000000E40000-memory.dmp

    Filesize

    64KB

  • memory/3116-2-0x0000000000E30000-0x0000000000E40000-memory.dmp

    Filesize

    64KB

  • memory/4404-3008-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

  • memory/4404-3011-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

  • memory/4404-3010-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

  • memory/4404-3009-0x00000000024B0000-0x00000000024C0000-memory.dmp

    Filesize

    64KB

  • memory/4404-3041-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

  • memory/4404-3040-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB