Overview

overview

10

Static

static

10

2025-01-04...de.exe

windows7-x64

9

2025-01-04...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-04_f33a0c04a1984e22cf953cc811f6d4cf_darkside.exe

  • Size

    160KB

  • MD5

    f33a0c04a1984e22cf953cc811f6d4cf

  • SHA1

    90eb7457e9952738195f7203bdde11ee8a77c8ba

  • SHA256

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898

  • SHA512

    e241c70576f99f84575a05c5d1e9a112e91d3ebb1578d364dac1a0f5d25a8c7fff82ca8aa5e1a5598e7e0800c149f4c648630b41a6ae790e37713040d802d5fb

  • SSDEEP

    3072:vDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+QBVBuEsMeUI/EQ9BW:R5d/zugZqll3LHVeVB

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (182) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-04_f33a0c04a1984e22cf953cc811f6d4cf_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-04_f33a0c04a1984e22cf953cc811f6d4cf_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\ProgramData\B1C2.tmp
      "C:\ProgramData\B1C2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B1C2.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2488
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:1760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini
      Filesize

      129B

      MD5

      b2f6ec9425f5df06f9869141456590ab

      SHA1

      9c56f36777ec7f02950c8957926bea29daa1ca98

      SHA256

      80950417e2d4c41f1e195a02dd2e1a160668e0f2fe2292401fe295fb2b9fba7b

      SHA512

      6ec63f046336057e6dd72f007676db8ff5b3082300b7f621991c3a18e54701fa7372175be6e41a993aa3ad273f604fe0444346ce44bb2a50da6103957e1a970f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      160KB

      MD5

      596b6373a974f0e792d5e9e609b7e1a8

      SHA1

      68991b015b41d77693351cca76af3441cd7a0daf

      SHA256

      56f7408b9d3f12acba5af3d6ab34db18736921baedc916a490991663cabb7486

      SHA512

      d5a6b422d6ed6abfc7b5e8d80855b48d8ffe022146b04c5ca4afd97f9ec39e2afc90fb8997af19bb8c911e2d301f5e03700d8014533bc106973a718cc5474f73

      Download Submit

    • C:\Users\XA2JxFVyZ.README.txt
      Filesize

      6KB

      MD5

      c7db8801e5d78b52bee4a84900380c6f

      SHA1

      ba4bcae82dec6a3fd0b31b6469632b8be84d491b

      SHA256

      a16f35817f5a81a64c9542f500413044e57ec4d1b22fb3eae2a7481bb7b7ecc4

      SHA512

      94e883a0408369bd5e00877343470109181b64c0542b424361b18f50eefefe7668eee5d496c960be47897bd8613ab33f1db54556f4e94a9f6a3267ac5f5dac7d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      5ac40e5895c8314abc5adf8bd95fa7e5

      SHA1

      aa620639d7b839e5cd26fcc5bccf50e89239c02a

      SHA256

      fd7aa6833bdab20828be3c8818f0d20c2b388ec7b8873439c799c039f7828c3f

      SHA512

      ff9eba16551ec3a00209a8b75d0ce74c72ba71aba2203c986903816789699b70205cfe8671da1a789e09f24f47cd1bc254e7bb1922d1f2a1c400221a5cad77b2

      Download Submit

    • \ProgramData\B1C2.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1912-0-0x00000000025C0000-0x0000000002600000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2376-314-0x0000000002220000-0x0000000002260000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2376-317-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2376-316-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2376-315-0x0000000002220000-0x0000000002260000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2376-312-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2376-346-0x0000000002220000-0x0000000002260000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2376-350-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2376-349-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download