darkside | 89eeac2abad61ef22fd914f9c4efaba04ca830d93ab1611c985531ac6d5e8460

Analysis

max time kernel
120s
max time network
128s
platform
windows10_x64
resource
win10v20210410
submitted
12-05-2021 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Size

56KB
MD5

84c1567969b86089cc33dccf41562bcd
SHA1

53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
SHA256

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA512

72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\\README.aeef1a75.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CompleteSubmit.raw => C:\Users\Admin\Pictures\CompleteSubmit.raw.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File renamed	C:\Users\Admin\Pictures\DebugUse.crw => C:\Users\Admin\Pictures\DebugUse.crw.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Users\Admin\Pictures\DebugUse.crw.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File renamed	C:\Users\Admin\Pictures\MeasureUpdate.tif => C:\Users\Admin\Pictures\MeasureUpdate.tif.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Users\Admin\Pictures\StepGet.tiff	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File renamed	C:\Users\Admin\Pictures\StepGet.tiff => C:\Users\Admin\Pictures\StepGet.tiff.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Users\Admin\Pictures\StepGet.tiff.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteSubmit.raw.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureUpdate.tif.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened (read-only)	\??\Z:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened (read-only)	\??\Z:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Drops file in System32 directory 15 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAB7F775BADE1EC8628B8D8B4C22C44D	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAB7F775BADE1EC8628B8D8B4C22C44D	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\aeef1a75.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies data under HKEY_USERS 32 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2bd50e0df48fc27a3ae354823e4955dd7fad7feaf9a39ca1de67a679488d93c4	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = e8010000c6e856696547d701	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 80617cf1de51c0782b492608731bd1f77cb761eb1c95b6b1dd4859b4fd4848c3	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b96a0532259ac6a1b6fa38689d24ff067ea01e7383f36377ae63d8e95c7d2008	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ddf5b84ac93eeafd55739b609745573358611cce9e3ed22e08ed166ba251f7c2	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\aeef1a75.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 030408070024f6a75881c5e10bf587a0d8be0cf621a0f3fd94dafcb5b1399231	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c613ec13b872861c145f900f8f895d27cf2437cacd0ff216c8d20aa707ea2602	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9da8a53faa9d19f7cc559037b2cd1a1975812bc194de56ec7751a41d1425193c	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 8d3d2741907bfa711a8315f62239a3f0547ba86a001578315fe914af277ad279	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies registry class 5 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75\ = "aeef1a75"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aeef1a75\DefaultIcon\ = "C:\\ProgramData\\aeef1a75.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aeef1a75	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

pid	process
1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
488	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2648 vssvc.exe
Token: SeRestorePrivilege 2648 vssvc.exe
Token: SeAuditPrivilege 2648 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2648	vssvc.exe
Token: SeRestorePrivilege	2648	vssvc.exe
Token: SeAuditPrivilege	2648	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

description	pid	process	target process
PID 1504 wrote to memory of 1624	1504	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1504 wrote to memory of 1624	1504	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1504 wrote to memory of 1624	1504	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1504 wrote to memory of 1624	1504	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1624 wrote to memory of 488	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1624 wrote to memory of 488	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1624 wrote to memory of 488	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1624 wrote to memory of 988	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1624 wrote to memory of 988	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
PID 1624 wrote to memory of 988	1624	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
2⤵
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker0 job0-1624
3⤵
- Modifies extensions of user files
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:488

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker1 job1-1624
3⤵
- Enumerates connected drives
PID:988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/488-115-0x0000000000000000-mapping.dmp

Download
memory/988-116-0x0000000000000000-mapping.dmp

Download
memory/1624-114-0x0000000000000000-mapping.dmp

Download