Overview

overview

10

Static

static

10

2025-01-10...de.exe

windows7-x64

10

2025-01-10...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-10_c09185c157831e4915c255d7002941f4_darkside.exe

  • Size

    147KB

  • MD5

    c09185c157831e4915c255d7002941f4

  • SHA1

    beca597f2c2c120c3d74163501a81f56664ff4f7

  • SHA256

    6f3d87f3dcfd248e64d26cf338a19f41a6f93affdde5fab071a631ff38637757

  • SHA512

    a843854ca79f4d98938635612d20f3d5b79d8661ee91d1ae130b2deffe95e44d7028f76b8b221c87fab0638afe5baf3c55e8348f8aa10dddc90133167a3c17bf

  • SSDEEP

    3072:SqJogYkcSNm9V7DnfX/91c6G+Mqc+2EIEMF+T:Sq2kc4m9tDnfXPc6g+2XEMF

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\5VFg9o5tW.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] Alternative email address: [email protected] ([email protected]) ID message: c5337115f1d1a

Signatures

  • Renames multiple (644) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-10_c09185c157831e4915c255d7002941f4_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-10_c09185c157831e4915c255d7002941f4_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\ProgramData\9347.tmp
      "C:\ProgramData\9347.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9347.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\OOOOOOOOOOO
    Filesize

    129B

    MD5

    0c6a5f70135a4ef004817329c1da4947

    SHA1

    6f48d8f3d739493a30670399177b93ece6f572a4

    SHA256

    e85628e22baa1e23c5e2e90a0861734073f71dc45d3108cc481b7a33d0bdf006

    SHA512

    a47171e7c0f7c192e76852a1bead3e3bdd6a6bdc99114ec5b95bea277c0a7eeb573a595bf0c1536684400381856ddfdad9491d5e44bdf208b053b4506a8c1153

    Download Submit

  • C:\5VFg9o5tW.README.txt
    Filesize

    1KB

    MD5

    17e3459297cd54cf124d089248ff395b

    SHA1

    617e2ddd0a69a242d4da510d32670a170ff667fa

    SHA256

    94aaefad5d5a9fea79e9271941a5e874951cceac46a110ef0f1de841051f6421

    SHA512

    280536a672423a4bf4df1cb7cd49bd0a7a3f731dfe4543359a84d3a82d734e3882386b336af62a77e2763cbe7fe9e4ff6ae852241dd61ab702cda1b0d2f02e13

    Download Submit

  • C:\ProgramData\9347.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    147KB

    MD5

    97da59baebd77bcaa72b698289bae9ae

    SHA1

    0bf17b1c3bd03a8aca62df88efdebf9878a51764

    SHA256

    e81e3d1644f36b0775724a1a9b72155f68dcff1b2ed999bde51be79c97803935

    SHA512

    2960f537856c5823c1b6a0c6f88234f5151abb2c1e3b16e84ce9cbcf0f642d8428502ad4992d27f14d031f7ce22335a10493c46fc5466ec462c2ea2b9010f303

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    29c0abad612c2bb92771621b4ecec6b3

    SHA1

    9c2c9444b55dddd587264ab0dd2247856d9e9eb5

    SHA256

    d75ef2ac88e93dee72c361208a1e46ccc6b585acb1d217952e657a8b56dc1d99

    SHA512

    773042896881cfc5791143e3352e1cc7c374f34a4184c0188205f6891247ecf3dea323b3b0d92afd28a439748b30365bf063e1dc4c001c2d510dd1f7b85ece63

    Download Submit

  • memory/3416-2820-0x0000000000D50000-0x0000000000D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-1-0x0000000000D50000-0x0000000000D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-2821-0x0000000000D50000-0x0000000000D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-0-0x0000000000D50000-0x0000000000D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-2822-0x0000000000D50000-0x0000000000D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3416-2-0x0000000000D50000-0x0000000000D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5072-2823-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5072-2825-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5072-2824-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5072-2854-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5072-2855-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download