Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 03:57

General

  • Target

    2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe

  • Size

    147KB

  • MD5

    43341d5a1d976b348d42ad9c0f9c605d

  • SHA1

    fe704f8a65f572217bcfe147057dc57adf4476f0

  • SHA256

    7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86

  • SHA512

    c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23

  • SSDEEP

    3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26

Malware Config

Extracted

Path

C:\4i9YfYWBr.README.txt

Ransom Note
What happens? Your network is encrypted, and currently not operational. e need only money, after payment we wil1 give you a decryptor for the entire network and you wil1 restore al1 the data. >>>> What data stolen? From your network was stolen sensitive data. If you do not contact us we wil1 publish al1 your data in our blog and wil1 send it to the biggest mass media. >>>>What guarantees?We are not a politically motivated group and we do not need anything otherthan your money.If you pay, we will provide you the programs for decryption and we will delete your data.If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goalsWe always keep our promises. >>>>Pay ransom amount contact Email:[email protected] >>>>Payment cryptocurrency address USDT-TRC20 >>>>TEG64M8gADhfgpcTdKSycYg75kyAVjExzf >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs Warning! Recovery recormnendations. We strongly recommend you to do not MODIFY or REPAIR your files, that wil1 damage them
Emails

Signatures

  • Renames multiple (596) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2036
    • C:\ProgramData\377.tmp
      "C:\ProgramData\377.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\377.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1844
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1104
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9ED39FEE-906D-450B-B339-0FACE1E1DDA1}.xps" 133790542588150000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\BBBBBBBBBBB

      Filesize

      129B

      MD5

      6021f17c2e220162ab50085e2482bc8a

      SHA1

      33245cd57531573b0db205a8fa7e1801467c65b1

      SHA256

      b81ed018862bdf5d7366a5a5e12747b3301e112fc8081c32685119c1252931bc

      SHA512

      512fdeb9fd0ea20ec50a79bdf943337decdc7030a871310ea2e62c7245432032861767adee3b125ec7332b6f98407d97d09a7672f04b16fc6c8228b6354b946a

    • C:\4i9YfYWBr.README.txt

      Filesize

      1KB

      MD5

      3ada01b616e140ae59cdaad69674a811

      SHA1

      704f23db0249fee5710e542e34c49a69f88ca8f1

      SHA256

      aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2

      SHA512

      26061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4

    • C:\ProgramData\377.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      065489d49bb36a9b6efbbb461b27bc49

      SHA1

      0e5e97fd7f420d6c643b2ffb53cc47bb54e4ac57

      SHA256

      b441f0c0a7bd79532888e34c4d72f26fe95fd92711240ae33a60f6965f24b08f

      SHA512

      d65cb933c2ee8c0308769c3894d64b3f75863f7a89f14268548d0f00a95cfef5194b244eb7ba5f8e1f1ff71bc9847d4771064335aebf6a0deb9ec04b9371a23e

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      8d55ce2ba1baf56993ec30f3bb721bb6

      SHA1

      720812ddcc57cb78e21dbbe38e6facc5ee67fb81

      SHA256

      be8f191bb42b9899834e19de4fe98489232e6cab81aa84cc1f3e36b3717c6fdc

      SHA512

      708966922351067656a9a7088b80b6f2ec6a1cd53f64f9402c2dd90ea1cd68a3c6f8e3cc41c9638d406dbea05be557b111561a0bc5e29243248c77b5843ae8ea

    • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      13e2969c05dc0167133208a6f9517d99

      SHA1

      37604a644d96594e473e39a22e34193962d9c170

      SHA256

      aa34babf932dcdf5d99c005146bd0bf13f70d654024d7b09dbcc1f62f9f5e091

      SHA512

      69fa1c10f9b9f98d264c9340e313c6e98bd5bbbdb78b84ca4f331977bf1c9528a8426a33f08ce84c41beb5cfd863b069ad94dd24601399a836962156a4a88997

    • memory/1224-2930-0x0000000003090000-0x00000000030A0000-memory.dmp

      Filesize

      64KB

    • memory/1224-2929-0x0000000003090000-0x00000000030A0000-memory.dmp

      Filesize

      64KB

    • memory/1224-0-0x0000000003090000-0x00000000030A0000-memory.dmp

      Filesize

      64KB

    • memory/1224-2928-0x0000000003090000-0x00000000030A0000-memory.dmp

      Filesize

      64KB

    • memory/1224-1-0x0000000003090000-0x00000000030A0000-memory.dmp

      Filesize

      64KB

    • memory/1224-2-0x0000000003090000-0x00000000030A0000-memory.dmp

      Filesize

      64KB

    • memory/2588-2942-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/2588-2944-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/2588-2946-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/2588-2943-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/2588-2947-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

      Filesize

      64KB

    • memory/2588-2979-0x00007FF84FBB0000-0x00007FF84FBC0000-memory.dmp

      Filesize

      64KB

    • memory/2588-2980-0x00007FF84FBB0000-0x00007FF84FBC0000-memory.dmp

      Filesize

      64KB