Overview

overview

10

Static

static

10

2024-12-26...de.exe

windows7-x64

9

2024-12-26...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-26_b9d13927f4fb87f17e14cada3f261f7e_darkside.exe

  • Size

    160KB

  • MD5

    b9d13927f4fb87f17e14cada3f261f7e

  • SHA1

    82131e59a93c91e31de564033506fdc3ea03a602

  • SHA256

    d2b525af7638efe57662b5b9869e4d5286a0711ede249e36e3908ab9d77bed03

  • SHA512

    cb236f7b96aa16be867c4e7b17e7afc21b78ef9b9ede69219b76480b95b3b3cd7b183c412a3ca344cbb53224c821449b980a5713b4632a71962d624a531fe4d6

  • SSDEEP

    3072:IDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368XguJK0RuzIhoOINW:C5d/zugZqll3AdUho

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (205) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-26_b9d13927f4fb87f17e14cada3f261f7e_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-26_b9d13927f4fb87f17e14cada3f261f7e_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\ProgramData\F586.tmp
      "C:\ProgramData\F586.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F586.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1384
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1980
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini
      Filesize

      129B

      MD5

      7d1d1a2eb6e7f238cbf5520f145a4e51

      SHA1

      3f8a0ed17f42444d21a368607b9a1d86cc6870da

      SHA256

      d312d28b66fe200dc1a8cc65132864418a9396ee68de69788057d287ec191d5b

      SHA512

      dd7085b5fe8d8890a8ec7bf38ed889f75442284e8f5a1152de5a1483bcfd5368adbf7883721d7424fd183de87eb824db7056e4027bbb21e66946736d3b36e2b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      160KB

      MD5

      6bc3427e0689120728d00fdf0b544003

      SHA1

      563f4f7b9e142f32236693664ddae9fd20326458

      SHA256

      2507c08fee479334360d287c66564448d0cb87429a56695bee872b158e79a8c6

      SHA512

      d45e7bb6437ed600d1c81d25c3785f60a83c54b5c7678cffcc8abe1782a1bcd2107691b245bf95409a45b5c667e9d70524b2e27ab33f671ccdda1dc4e5f6ea27

      Download Submit

    • C:\Users\usKv553SJ.README.txt
      Filesize

      6KB

      MD5

      9ea53b250a0c6570968e3859d89bafd4

      SHA1

      423da99fe5048bfc835e008336a2791927a13d99

      SHA256

      998ef95b46b860e0a690dad54c94884b96c1d6bf371f98e29d2ea2811fb03167

      SHA512

      714f0ca592b26de02d03fa9e39b844dbf0863a850c0c0676144f818b191445e45c003465d6d0de48baf982dd4e25ae5e3104c1e33a576d77494b6520406246a5

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      6dd2ad105b4ecccac23b8b7d302ceeb4

      SHA1

      d3ca81cb0f92ab05ed4b1fe4e9256446379d3267

      SHA256

      c891bc956f9d745698187a7cf4b02a95948c1d40598d3902e84f035a6800db21

      SHA512

      8a45a58f5fda0cf424a79c60e0251051dec846e5072b2ab1154c47e16f9c5c6821ce16012afdbad282eceb49caba2d54e902159bb4d5bec34f7ce7450d1c997f

      Download Submit

    • \ProgramData\F586.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2616-1-0x0000000000C50000-0x0000000000C90000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2616-0-0x0000000000C50000-0x0000000000C90000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2996-336-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2996-340-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2996-339-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2996-338-0x00000000022C0000-0x0000000002300000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2996-372-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2996-371-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download