Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 04:02

General

  • Target

    2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe

  • Size

    147KB

  • MD5

    43341d5a1d976b348d42ad9c0f9c605d

  • SHA1

    fe704f8a65f572217bcfe147057dc57adf4476f0

  • SHA256

    7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86

  • SHA512

    c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23

  • SSDEEP

    3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26

Malware Config

Extracted

Path

C:\4i9YfYWBr.README.txt

Ransom Note
What happens? Your network is encrypted, and currently not operational. e need only money, after payment we wil1 give you a decryptor for the entire network and you wil1 restore al1 the data. >>>> What data stolen? From your network was stolen sensitive data. If you do not contact us we wil1 publish al1 your data in our blog and wil1 send it to the biggest mass media. >>>>What guarantees?We are not a politically motivated group and we do not need anything otherthan your money.If you pay, we will provide you the programs for decryption and we will delete your data.If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goalsWe always keep our promises. >>>>Pay ransom amount contact Email:[email protected] >>>>Payment cryptocurrency address USDT-TRC20 >>>>TEG64M8gADhfgpcTdKSycYg75kyAVjExzf >>>>payment is completed, send the payment photo to Email: [email protected] >>>>payment is completed Send via email we will provide you the programs Sometimes you will need to wait for our answer because we attack many companies. we will provide you the programs Warning! Recovery recormnendations. We strongly recommend you to do not MODIFY or REPAIR your files, that wil1 damage them
Emails

Signatures

  • Renames multiple (607) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3580
    • C:\ProgramData\A808.tmp
      "C:\ProgramData\A808.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A808.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1664
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2500
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4CD0570F-657A-4014-B34B-A24CDA130677}.xps" 133790545581730000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:1928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\AAAAAAAAAAA

      Filesize

      129B

      MD5

      9d39220f86201bea7eed8986bfdaee7e

      SHA1

      f22e37a02d4768e16eb605c0851a5057defe2d1e

      SHA256

      fc5141677605ec3002b20dbfee393c9e5b029fea679c9666bfad7f6ad7da943b

      SHA512

      9de90b211a774b61a041ab6a520a971f270e8f1b9950de84af4c986274f1da0abd7a16bc8b98c58ccf82567a844757ccf020d6bdbeb3bacff77450767661cccf

    • C:\4i9YfYWBr.README.txt

      Filesize

      1KB

      MD5

      3ada01b616e140ae59cdaad69674a811

      SHA1

      704f23db0249fee5710e542e34c49a69f88ca8f1

      SHA256

      aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2

      SHA512

      26061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4

    • C:\ProgramData\A808.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      19c41357f30ab8820ae2cc942c4b7ea1

      SHA1

      296a7bf636adb3be8b349385bc860d7620eb9f9f

      SHA256

      3996ef4d42597e41622c6f486fe804af7fd912939d55988bd3d7ee9e4b0b0470

      SHA512

      b9c079a3de1dcfe94d58fe9dab23dcb30461d9cd6ac65c66414d008e8bd69122af00c5cc73346b10f3a4a0a533a5ffb8f1ba718ee219f2e08af2324a0c822427

    • C:\Users\Admin\AppData\Local\Temp\{059C182F-A441-40EB-B104-3D9FA36301A8}

      Filesize

      4KB

      MD5

      b59235983b85c56eea79cfca8d6d7d6d

      SHA1

      e8712f53f47706fd4fba9bdfde76932fd24943f2

      SHA256

      22c87b4b529e12cf2eb82701de516fa3f6aaf36e03d0777a554f66b813e5a374

      SHA512

      6bf870944d10daac9d31a7e5dfe0a635a144bf557feab0e2d034dbf5fda522f8ee1d5d5d1a2986fb1744bed97900dce210cbc8864b2934f588ba5c1a197f2f6c

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      db92eaaaf6028cfa21cd12728ad76232

      SHA1

      a193254fc622757efe568c8d657f62e227a2fb60

      SHA256

      8971d7da1f0c130fe950890e46fb086d2984a6b93f6e8d6021900f2cad234c38

      SHA512

      e394ef99be63d8bd75b4b964b0b0dd2de3bd1629c751440e4c3a52b0f18aad04034a116a0b52775a7a31ea85359902c49c4705e8eca85a3d867e3497468ba4f7

    • F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      ed8ac5c00a300358eddc47799e57b88c

      SHA1

      e8ecba8a210e376e0b90a74b857ebf6758dcd0b6

      SHA256

      19883533cb3ae4c21a94ea22ccf2ada17d9c2be2606ae153f2357d48f4d860a0

      SHA512

      0322c9556064703a6d22486d617d2d9f3ded4a2db0682434fb91fde72af128081ad44b7d86d6d76191a6e2faf3a6a14d21fd5df49eca41488ec1af090742095b

    • memory/1928-2834-0x00007FFF23D30000-0x00007FFF23D40000-memory.dmp

      Filesize

      64KB

    • memory/1928-2802-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

      Filesize

      64KB

    • memory/1928-2803-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

      Filesize

      64KB

    • memory/1928-2804-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

      Filesize

      64KB

    • memory/1928-2801-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

      Filesize

      64KB

    • memory/1928-2805-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

      Filesize

      64KB

    • memory/1928-2835-0x00007FFF23D30000-0x00007FFF23D40000-memory.dmp

      Filesize

      64KB

    • memory/4448-2785-0x0000000002480000-0x0000000002490000-memory.dmp

      Filesize

      64KB

    • memory/4448-2-0x0000000002480000-0x0000000002490000-memory.dmp

      Filesize

      64KB

    • memory/4448-0-0x0000000002480000-0x0000000002490000-memory.dmp

      Filesize

      64KB

    • memory/4448-2784-0x0000000002480000-0x0000000002490000-memory.dmp

      Filesize

      64KB

    • memory/4448-2783-0x0000000002480000-0x0000000002490000-memory.dmp

      Filesize

      64KB

    • memory/4448-1-0x0000000002480000-0x0000000002490000-memory.dmp

      Filesize

      64KB