Extracted

Extracted

• • Target

    2024-12-27_d0729e9b53b9ae6898be31d4c82fcedd_darkside

  • Size

    147KB

  • MD5

    d0729e9b53b9ae6898be31d4c82fcedd

  • SHA1

    4cc9743bb3a016eb97d5e12807a52789b13584a2

  • SHA256

    74b812ac49287fd6161fdad78223821f7005501fec4644eaa1dd89b6e40c2f34

  • SHA512

    21e945d238f1e00b7becbccbc1666d1e67f842ef485a5980e7da1975d2c6ccbe99af28d4a9cce36c32511ecf388456d2ead1355ed8c5c123b04b10e369bcf555

  • SSDEEP

    3072:y6glyuxE4GsUPnliByocWep0d0EVvOkEig5ErIiRq:y6gDBGpvEByocWe6ay8icEd

  Score

  10^/10

  defense_evasiondiscoveryransomwarespywarestealer

  • Renames multiple (341) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2