darkside | 89eeac2abad61ef22fd914f9c4efaba04ca830d93ab1611c985531ac6d5e8460

Analysis

max time kernel
108s
max time network
109s
platform
windows7_x64
resource
win7v20210410
submitted
12-05-2021 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Size

56KB
MD5

84c1567969b86089cc33dccf41562bcd
SHA1

53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
SHA256

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA512

72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\\README.949640ab.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SelectCheckpoint.crw => C:\Users\Admin\Pictures\SelectCheckpoint.crw.949640ab	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Users\Admin\Pictures\SelectCheckpoint.crw.949640ab	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Drops file in System32 directory 1 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 3060a16c6547d701	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5ca815135c3c6ecb42be8d239ed306dbe8bc32c9c0c7f106db508cb37c427c0b	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7500ecaef1a0be9a0b927866b18dbb25d02b30d30d5a968463ee382ba1287cb2	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 07fd1ca3f52c403069405fb177518b7699824525eea25816a3635de44a723a31	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 98060000f04ef26c6547d701	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e858cde82179c1eac7f86ad30c8b9fde0a2c3d18beb1fbe3d972f35cfe9d32db	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 2ddd2ebc2bde8e71cba4ce5181afa22d0a273df9b77b99839d295c74ca6e7405	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 3060a16c6547d701	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = dbb1427e50eba91188fe286b3e2cca7e988a1e04daeca489ee37b780b5eaf444	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e8e80edcb6f52a37b92c2e94b919bcd66310b95ec5d97bdf7ce2f854c6f23f4a	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 4ca2617ebb40fd6c6cc967b0f73aaad701f0801452965e37021b5a07b6f77333	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\949640ab	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

pid	process
1100	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1100	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1688	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 800 vssvc.exe
Token: SeRestorePrivilege 800 vssvc.exe
Token: SeAuditPrivilege 800 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	800	vssvc.exe
Token: SeRestorePrivilege	800	vssvc.exe
Token: SeAuditPrivilege	800	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	pid	process	target process
PID 2036 wrote to memory of 1100	2036	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2036 wrote to memory of 1100	2036	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2036 wrote to memory of 1100	2036	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2036 wrote to memory of 1100	2036	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 2036 wrote to memory of 1100	2036	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1100 wrote to memory of 1688	1100	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1100 wrote to memory of 1688	1100	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1100 wrote to memory of 1688	1100	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1100 wrote to memory of 1688	1100	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
  "C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
  2⤵
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
    C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker0 job0-1100
    3⤵
    - Modifies extensions of user files
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-60-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/1100-62-0x0000000000000000-mapping.dmp

Download
memory/1688-64-0x0000000000000000-mapping.dmp

Download