Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 04:02

General

  • Target

    2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe

  • Size

    147KB

  • MD5

    43341d5a1d976b348d42ad9c0f9c605d

  • SHA1

    fe704f8a65f572217bcfe147057dc57adf4476f0

  • SHA256

    7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86

  • SHA512

    c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23

  • SSDEEP

    3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26

Malware Config

Extracted

Path

C:\4i9YfYWBr.README.txt

Ransom Note
What happens? Your network is encrypted, and currently not operational. e need only money, after payment we wil1 give you a decryptor for the entire network and you wil1 restore al1 the data. >>>> What data stolen? From your network was stolen sensitive data. If you do not contact us we wil1 publish al1 your data in our blog and wil1 send it to the biggest mass media. >>>>What guarantees?We are not a politically motivated group and we do not need anything otherthan your money.If you pay, we will provide you the programs for decryption and we will delete your data.If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goalsWe always keep our promises. >>>>Pay ransom amount contact Email:[email protected] >>>>Payment cryptocurrency address USDT-TRC20 >>>>TEG64M8gADhfgpcTdKSycYg75kyAVjExzf >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs Warning! Recovery recormnendations. We strongly recommend you to do not MODIFY or REPAIR your files, that wil1 damage them
Emails

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\ProgramData\DB9F.tmp
      "C:\ProgramData\DB9F.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB9F.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2084
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\EEEEEEEEEEE

      Filesize

      129B

      MD5

      6793277d7afa6aa48e25e82db44e0740

      SHA1

      ecd2fe72e693c5c4212d794c098e7028202ae12c

      SHA256

      d98ea5afb42a41f8444db697b18734c4416eede30dd6358e42fefe1d03ce7df4

      SHA512

      bb8d5e45fd41eaa5e5c85bd8885363797c389a6aba934ec26b5b61c3ba3ab67d7b9c4dfdbf159db79a4d40d3a3ef4bcef63f097b5b90f3cdab5b4e9c35c0ca37

    • C:\4i9YfYWBr.README.txt

      Filesize

      1KB

      MD5

      3ada01b616e140ae59cdaad69674a811

      SHA1

      704f23db0249fee5710e542e34c49a69f88ca8f1

      SHA256

      aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2

      SHA512

      26061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      8d3ac42ce4d601a6064bd8f9a62ccd32

      SHA1

      6017ed7d892d3529e866b6461156c08a787829f5

      SHA256

      86d1e626eb4ca91324361ed7b1a054c1f27747199e49bf50b118373ce20dd02e

      SHA512

      2ac09908441bcf90519d22f4dabcac03b408e56abbc9c4d05b8e16c3645f18bed97d07903764a0123ffb2484b3875c2b61e3643bb1000b25a02c89b6d0566dba

    • F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\EEEEEEEEEEE

      Filesize

      129B

      MD5

      e14b82f534405e030ec5dfc755daddd1

      SHA1

      e80931896c227ebc63dbbacffbb0e5e4e1352b5b

      SHA256

      822d32b69830bb46c6642b40a71a4ab2f3edd25c9ededb849b43bcbdbf103e4a

      SHA512

      3b10084c12b51bc42dfcc1d562b1f426d5c1e3f433fba3d31871658b468f0e88c9238b9f87abf18f048a96f99686164319cbabfb472c6d2bc871683d5ade54e2

    • \ProgramData\DB9F.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/1860-849-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

    • memory/1860-853-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1860-852-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/1860-850-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/2236-0-0x00000000024E0000-0x0000000002520000-memory.dmp

      Filesize

      256KB