Overview

overview

10

Static

static

10

2025-01-04...de.exe

windows7-x64

9

2025-01-04...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-04_f33a0c04a1984e22cf953cc811f6d4cf_darkside.exe

  • Size

    160KB

  • MD5

    f33a0c04a1984e22cf953cc811f6d4cf

  • SHA1

    90eb7457e9952738195f7203bdde11ee8a77c8ba

  • SHA256

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898

  • SHA512

    e241c70576f99f84575a05c5d1e9a112e91d3ebb1578d364dac1a0f5d25a8c7fff82ca8aa5e1a5598e7e0800c149f4c648630b41a6ae790e37713040d802d5fb

  • SSDEEP

    3072:vDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+QBVBuEsMeUI/EQ9BW:R5d/zugZqll3LHVeVB

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-04_f33a0c04a1984e22cf953cc811f6d4cf_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-04_f33a0c04a1984e22cf953cc811f6d4cf_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\ProgramData\BFA6.tmp
      "C:\ProgramData\BFA6.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BFA6.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4160
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini
    Filesize

    129B

    MD5

    62170ac4369238dbc898b37746fb0b13

    SHA1

    327e61ce3db72f766dbff4712f5e85e167472459

    SHA256

    583eeaed29d0fb6712d62b7f9c6c6b7204cc6f19f3dcc4d175178dfc4a09ff83

    SHA512

    ef86e1e36d2894589656e7735af354c32f15a56584605703e66b409f72f861817b3beb5aa6f5d2aa993a29ba3fa7fadf3ac96bab4e35c41533f35738bb358e90

    Download Submit

  • C:\ProgramData\BFA6.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    160KB

    MD5

    e506b9dcfe2178f64993509e4b9fc70d

    SHA1

    a290eaaee171c4b4cff44b33637b1d54ef4f582b

    SHA256

    d15896a315771204f94425010e2579c58ef07416747916c41b570aabfa4ddb0a

    SHA512

    c1aea5d9a552fe08daa01bce6dbdbf5c7b8eef7314ae2fbe43ecf7e0b9244ffe9519590c3e6c8488e00747ab4dea6cb4d5084471b8e1f0e28f6b91ca420e3a19

    Download Submit

  • C:\Users\XA2JxFVyZ.README.txt
    Filesize

    6KB

    MD5

    5b0cb7f0369d5edb14bb8b4a632e34b0

    SHA1

    f8fc6eaa50f63e6b988de2509e30fec39bf62904

    SHA256

    26ab4fb26bccebbfe1523e43a3b758b94355781f9e9795c5721cf73b8b66f5e8

    SHA512

    e2a6d83200554ea02e83b0e1f9d4e2c3a8f5226c57b2bbeab3ffe21617352250b7c8efe9a678ed08955a0154b696ebcfeeb087ef3560abc4796f8bcfffbbfe83

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    517be2988e3cf4e739ca69035d1a35f4

    SHA1

    3eaa555cab04f051282b95a26b5310046487197f

    SHA256

    4f4c9c11f6018db0f3ca6cc2e403a77820c6541c9201b6479c7d44171094ff30

    SHA512

    36357071ac59646823cc84cb44e730c35afee64faf02b3d08e051cd158825ab94b6072bd9eac2f9fed5d5e866c20f2fa2207e3ee790bb0d7d984d9f3530eafd7

    Download Submit

  • memory/2176-0-0x0000000001450000-0x0000000001460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2176-1-0x0000000001450000-0x0000000001460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-329-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-327-0x0000000002760000-0x0000000002770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-328-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-326-0x0000000002760000-0x0000000002770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-325-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-359-0x0000000002760000-0x0000000002770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-358-0x0000000002760000-0x0000000002770000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-363-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-362-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download