Overview

overview

10

Static

static

10

2025-01-21...de.exe

windows7-x64

9

2025-01-21...de.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 00:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe

  • Size

    145KB

  • MD5

    93ba419d9c5319fddcd6839a38225c81

  • SHA1

    617d278f7a70b61db75df91bb35d63a5fa0efad3

  • SHA256

    be42cb8a1e01406a093980ce7d0e108a7faaf579ca4b72a622b4e27bedf38cad

  • SHA512

    214900f6ceed5b8f28142c5f21852c092275da412b9f1ed1de269ca694f466f3ece048f52461e25bc9c80b1468ad1d3f386b60bf98f8e7d17fde2514052d2366

  • SSDEEP

    1536:wzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDc7KjOo5QCVICtgzRsLgenUedta:PqJogYkcSNm9V7Dcmio5rVprLKWf8LT

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (649) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-21_93ba419d9c5319fddcd6839a38225c81_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1584
    • C:\ProgramData\EC93.tmp
      "C:\ProgramData\EC93.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5136
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EC93.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:6076
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4344
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0F378B32-EEA4-4CA3-BBE7-A188DF7E441F}.xps" 133818933776540000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\NNNNNNNNNNN
      Filesize

      129B

      MD5

      b68f94a893540f274c423a7e0a114638

      SHA1

      c2f17b76f738936ae4133d7583317ac9f8b1221e

      SHA256

      9718903c23dfa282b502ba8e78062e8cef8e64bbdb6c86be7696f92bbb7d509f

      SHA512

      c30de0134f42d6b9f802ff2aa502aa39c5218c8286a017568d2f626b845945625739ae463837c2b999e3d4977515e08f93fed52e1e92516a396c0377f740de91

      Download Submit

    • C:\0hKkZEcBc.README.txt
      Filesize

      395B

      MD5

      8cce7f5f3be9f292153069bb624e8dbf

      SHA1

      ed4bd1856859441581d99a60685c58f68342c847

      SHA256

      43c3cf66423de7c10bd7eff9807063b16d864b018a6cb2e9b1682dff36ed9911

      SHA512

      6944f4b855a76a5288adacd930aa3a9fa15f78a1658b4f09682adb1e5d277ff212cabacc369be3447957569ee3103a4a5532f57476a5479fbac761a764e6e9c6

      Download Submit

    • C:\ProgramData\EC93.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      145KB

      MD5

      28a88b80397b0c371207ed95e3a4ff6f

      SHA1

      be14beb133835ce9cb0f0fb2f1f5f205805d2fb0

      SHA256

      912345b49ad7e4a8380553b724a88f1f5ec461c742472d78d7570ca43492926a

      SHA512

      f7e5eb0fc3b9cd26085b20642cb349acb809ee35d47f61bcba9dc8d0afac71202635162eb058036dab655847f6df778e925c7bce08439e57e3ad1667e1984f4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{D01E40EE-132E-4528-8B91-C3CB2F3C9CFD}
      Filesize

      4KB

      MD5

      8335aad5ab97a228dc83d4340a198a62

      SHA1

      e2448ce01dd65e706ba2dac2a13620aed0141c16

      SHA256

      4726db9c27d5f67d7264ac01d065f30e08540d567420ad15fbcb7b0a04f380f1

      SHA512

      078196d1670b300c05ed592fa4dd97d34cd3de3e939fc03e50d67d4e22fb0d6926154aacaac42aad1f8cbe960ee05188c5125ba65dda3087b46253a8f85dbfce

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      d6c30aa45a7286bb271c7c1abd9bc928

      SHA1

      9ba4a8008f22ef70d20b42bef3c0ddaec4020a4d

      SHA256

      dc2112eaac421a398148062bd2eb64278b464b0dacb45c01ee990386dcadb824

      SHA512

      3fcb16d7580978d230d883b3e89af31a718a59fa0b84fb21b132c4830fd47136578abcacf1ff54961c6675580dee9fe50d8fee6c5ee8e19b9afbb0bfe2cbf816

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      b13753ffd13cb1f1a9810223cf21729a

      SHA1

      ad7f0276b2766e7d47a3ec837b5445c173e000ce

      SHA256

      a22131a3250c8f5dd919caa09d6c44bf36e7d664cc6b4293b06921d0a08cd1e6

      SHA512

      0bebf4343515071c38914811c24e36a0bd09bba0d1aa3210066e401d159d0d77d1e08c9c63c7802587f7be4a89051a49fa650a5435fdf82e4641b4c79762de5c

      Download Submit

    • memory/1996-0-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-1-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-2987-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-2988-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-2989-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-2-0x0000000000CF0000-0x0000000000D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3009-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3005-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3008-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3038-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3039-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3006-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3696-3007-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download