a2c5641802ebce37fe3b84d87c9a1b2acd3556054a0dc8ed72139728c148a64a

Analysis

max time kernel
101s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddn/BDDarkSideDecryptor.exe
Size

9.5MB
MD5

cb1b67988c63e6e951be00b3eda7f74f
SHA1

049fff52f877516a756c6333d12b3c1c1cfbe519
SHA256

1a72fe563f588580440da34a03b1af3ba072e66404608c521b4adbcb034a33f6
SHA512

ef1d74da565026fef631f83dee70fafb661bea74cad69b70035f10700b733f64ce34b3308c0fee59222d1eb0767b87672f1f824ea923008c70a3e8be229ff289
SSDEEP

196608:IdJEHHWtwPlARRmtejsum3/DBekLV58IzN6+ZR62Wi:IbEn9PlAGMivDdjxNF762W

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4448	RemovalToolGUI.exe

Loads dropped DLL 2 IoCs

pid	Process
4448	RemovalToolGUI.exe
4448	RemovalToolGUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDDarkSideDecryptor.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4448	3236	BDDarkSideDecryptor.exe	86
PID 3236 wrote to memory of 4448	3236	BDDarkSideDecryptor.exe	86

C:\Users\Admin\AppData\Local\Temp\ddn\BDDarkSideDecryptor.exe
"C:\Users\Admin\AppData\Local\Temp\ddn\BDDarkSideDecryptor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe
  C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe "
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\DarkSideDecryptLib.dll

Filesize
2.0MB

MD5
601e4a912e9ba1e981948c031740e97e

SHA1
2953868dafb5a02f9908c94227867fde307f18ef

SHA256
9af591339601d1805e3f527a3840950b9d3653f4d651e99d08f7a61dbb5da78d

SHA512
f7aebcdcf3a69dcbda5daea54b80a649261b3a18d5c65932f8bd241d3ca31c33858895aa8f675e08e25c02f8ae9bddd79dd442c35655d9a6f500006f8a5046f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe

Filesize
1.2MB

MD5
70375699fe4024ffe8413eefa6f3144b

SHA1
a8d51adf1e62d0465df307d064ecb26acc67258f

SHA256
6eb8a7b89716a71975ac07becd7785108b3f2e8ba37a9bc28859c2835bddd0df

SHA512
8f3074ba1a1aba0754ef9fd05ef432bd5255e39db508ca2dade9a932751c4e11fd87b82e8953fd7d6f279656a0cb30046ba93e8a35057114b9c031f272e5b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\sciter.dll

Filesize
7.8MB

MD5
ea713bc436d655ac7afdb0b0b763999f

SHA1
a4d63919437372650c0f355ba42304db07a6bca1

SHA256
a18e82f09c16fad1c17a03a53d21d5b5857c29e99f0dfc6f9060499377b7c25a

SHA512
35da588b84ea6e1d912d68e0c9e378b13786dd2b52bc47f7e3d826f8899da2e4479997a582f4e0fbdfe72823d862b922345d8427979778a24616c9472fb4d7b3

Download Submit
memory/4448-9-0x00007FFD9C670000-0x00007FFD9C87E000-memory.dmp

Filesize
2.1MB

Download