Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 03:57

General

  • Target

    2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe

  • Size

    147KB

  • MD5

    43341d5a1d976b348d42ad9c0f9c605d

  • SHA1

    fe704f8a65f572217bcfe147057dc57adf4476f0

  • SHA256

    7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86

  • SHA512

    c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23

  • SSDEEP

    3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26

Malware Config

Extracted

Path

C:\4i9YfYWBr.README.txt

Ransom Note
What happens? Your network is encrypted, and currently not operational. e need only money, after payment we wil1 give you a decryptor for the entire network and you wil1 restore al1 the data. >>>> What data stolen? From your network was stolen sensitive data. If you do not contact us we wil1 publish al1 your data in our blog and wil1 send it to the biggest mass media. >>>>What guarantees?We are not a politically motivated group and we do not need anything otherthan your money.If you pay, we will provide you the programs for decryption and we will delete your data.If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goalsWe always keep our promises. >>>>Pay ransom amount contact Email:[email protected] >>>>Payment cryptocurrency address USDT-TRC20 >>>>TEG64M8gADhfgpcTdKSycYg75kyAVjExzf >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs Warning! Recovery recormnendations. We strongly recommend you to do not MODIFY or REPAIR your files, that wil1 damage them
Emails

Signatures

  • Renames multiple (355) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\ProgramData\39E5.tmp
      "C:\ProgramData\39E5.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\39E5.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2204
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\CCCCCCCCCCC

      Filesize

      129B

      MD5

      de08721dddb6ccb0ac2d4787d06a90db

      SHA1

      23b07f20e0ad140aaed788d073af2bb1ec6d9bb6

      SHA256

      bdf9e20dce97383b8b199027f934eb64c3a35b9355691ba98310908b30136a98

      SHA512

      12eb6e4fe4c5c8e38f9ec85c84e4d2826f5ab821b82390a0b47eaecf5aece9d18a88a8f2c8de5051f9a06d58a2f22871879457fa9726b47227811676ee244fa6

    • C:\4i9YfYWBr.README.txt

      Filesize

      1KB

      MD5

      3ada01b616e140ae59cdaad69674a811

      SHA1

      704f23db0249fee5710e542e34c49a69f88ca8f1

      SHA256

      aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2

      SHA512

      26061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      7599b76338846f6b743efa245b536fa1

      SHA1

      f0cafdda111e6f00758582a505c87c7552aa51d4

      SHA256

      f470c69486bf60a43ca24e86a3139c3b9cfd689635125fec203452a77c6fec3b

      SHA512

      a7893832358143eb9628f6ebca43db1a42381bf4da83591fd691926076e83e4a596a982af3f51d3b0265989ae810241e2a68b53a0860bc3a8d015428856c55e5

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      df5cfc1fcf0dfc76d37a6b0369b57d53

      SHA1

      2117b4cef6e04dbe4550895a5611c9b823b84d44

      SHA256

      16b09f0b09e8c90ede9edad51c0e509b2203d559faa66f369767c7e254ca7667

      SHA512

      afdca962eb58d61079d45fbf92c75c75c2baedf9ef075bf6b38c231c2842bb34fda37af4b5d36d73399ad8f36fee5784aaf1deeb6603fadba099e5eb10df7b06

    • \ProgramData\39E5.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/2012-892-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/2012-891-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/2012-890-0x00000000004C0000-0x0000000000500000-memory.dmp

      Filesize

      256KB

    • memory/2012-889-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/2012-921-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/2012-922-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/2524-0-0x00000000021C0000-0x0000000002200000-memory.dmp

      Filesize

      256KB