darkside | 90b7fa77350b6b3abbcc97530f020488b7b2c1085e221cdf06eed5b303c50e61

Analysis

max time kernel
314s
max time network
887s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
29-11-2022 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d19d8876bd39f1038746379dce3926.exe
Size

33KB
MD5

47d19d8876bd39f1038746379dce3926
SHA1

2401210fe6a163da4a873d2650df73a73d190236
SHA256

a82aec54cad176b368967fa8e41e41a8129ffafe6ab627312e111e63605b8478
SHA512

8180be15f2d3e4203fad7e9bfdc0488feef2e205cf407c383d9f3bf4c846a17133b22048cd442d870a1993a1e10706467eb6334331dd46d006e8ffecb60358ef
SSDEEP

768:WL5FXM/yQkMoKBFYQpP7zvoqskGvfIoTMSkaRrWzn3gAMi0WC4I:Ec6Q6mRAqskGvfkaRrWzXrL

Score

10^/10

darkside ransomware upx

Malware Config

Extracted

Path

C:\\README.d61cea8e.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

47d19d8876bd39f1038746379dce3926.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RenameCompare.raw => C:\Users\Admin\Pictures\RenameCompare.raw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Users\Admin\Pictures\RenameCompare.raw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File renamed	C:\Users\Admin\Pictures\RestoreAdd.crw => C:\Users\Admin\Pictures\RestoreAdd.crw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreAdd.crw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File renamed	C:\Users\Admin\Pictures\StopSearch.raw => C:\Users\Admin\Pictures\StopSearch.raw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Users\Admin\Pictures\StopSearch.raw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File renamed	C:\Users\Admin\Pictures\TestNew.raw => C:\Users\Admin\Pictures\TestNew.raw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Users\Admin\Pictures\TestNew.raw.d61cea8e	47d19d8876bd39f1038746379dce3926.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2584-127-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/3328-175-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2584-218-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/3328-220-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1360-234-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/4444-349-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/4444-352-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1360-354-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Drops file in System32 directory 21 IoCs

Processes:

47d19d8876bd39f1038746379dce3926.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	47d19d8876bd39f1038746379dce3926.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\MKUMMMLW.cookie	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	47d19d8876bd39f1038746379dce3926.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\K5GZ3PJG.cookie	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\K5GZ3PJG.cookie	47d19d8876bd39f1038746379dce3926.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\D9XIE5KZ.cookie	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8FE373924026D77D63F520328AE9C865	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\MKUMMMLW.cookie	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8FE373924026D77D63F520328AE9C865	47d19d8876bd39f1038746379dce3926.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\D9XIE5KZ.cookie	47d19d8876bd39f1038746379dce3926.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

47d19d8876bd39f1038746379dce3926.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\d61cea8e.BMP"	47d19d8876bd39f1038746379dce3926.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

47d19d8876bd39f1038746379dce3926.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\WallpaperStyle = "10"	47d19d8876bd39f1038746379dce3926.exe

Modifies data under HKEY_USERS 35 IoCs

Processes:

47d19d8876bd39f1038746379dce3926.exe47d19d8876bd39f1038746379dce3926.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 203f6ac3b4a0d486393b8fbb111b7bd97eb8c29ee028fdcdcde828f4e9041b24	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	47d19d8876bd39f1038746379dce3926.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a9fe82abc48ff8dc0beee99d45e63eb961f887c230b06012324c95e8f48f84f4	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	47d19d8876bd39f1038746379dce3926.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 5384b710c091a8190ce9428c59999ee323556be77580790e56966f8cecd1c099	47d19d8876bd39f1038746379dce3926.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cccd319834a5472d1e91789eb46026be7136660e4fda23d420c72c8b673e22d1	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 14f8e46d272097f653d2ddf210f4fb55d5c1ce599fb6300c03d539811ad6eb7c	47d19d8876bd39f1038746379dce3926.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	47d19d8876bd39f1038746379dce3926.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 559ad74906ee28accb2a52ffe126a2d35dd398eae752b586a7f54309caab0d3b	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\d61cea8e.BMP"	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b4ba4b9382dcf4733e9bcae533b04e0914afe04c48c628dbdb036ce59b33a632	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 5c110000cd3ad3d2e803d901	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9c4eede87acf3ac04609f121e68046771a46833b5b85e460adbd69c4bba15248	47d19d8876bd39f1038746379dce3926.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 2e22e73241438ac77a24861b94d911d65fdec92c55ef4041bde7971790292ddc	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b77fc885cb851d198d7c24cef6443fbcef06c78ced5d4018bec84ce4695801b6	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	47d19d8876bd39f1038746379dce3926.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	47d19d8876bd39f1038746379dce3926.exe

Modifies registry class 5 IoCs

Processes:

47d19d8876bd39f1038746379dce3926.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.d61cea8e	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.d61cea8e\ = "d61cea8e"	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d61cea8e\DefaultIcon	47d19d8876bd39f1038746379dce3926.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d61cea8e	47d19d8876bd39f1038746379dce3926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d61cea8e\DefaultIcon\ = "C:\\ProgramData\\d61cea8e.ico"	47d19d8876bd39f1038746379dce3926.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

47d19d8876bd39f1038746379dce3926.exe47d19d8876bd39f1038746379dce3926.exe

pid	process
1360	47d19d8876bd39f1038746379dce3926.exe
1360	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe
4444	47d19d8876bd39f1038746379dce3926.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3228 vssvc.exe
Token: SeRestorePrivilege 3228 vssvc.exe
Token: SeAuditPrivilege 3228 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3228	vssvc.exe
Token: SeRestorePrivilege	3228	vssvc.exe
Token: SeAuditPrivilege	3228	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

47d19d8876bd39f1038746379dce3926.exe47d19d8876bd39f1038746379dce3926.exe

description	pid	process	target process
PID 3328 wrote to memory of 1360	3328	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe
PID 3328 wrote to memory of 1360	3328	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe
PID 3328 wrote to memory of 1360	3328	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe
PID 3328 wrote to memory of 1360	3328	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe
PID 1360 wrote to memory of 4444	1360	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe
PID 1360 wrote to memory of 4444	1360	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe
PID 1360 wrote to memory of 4444	1360	47d19d8876bd39f1038746379dce3926.exe	47d19d8876bd39f1038746379dce3926.exe

C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe
"C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe"
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe
"C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe
"C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe"
2⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe
C:\Users\Admin\AppData\Local\Temp\47d19d8876bd39f1038746379dce3926.exe -work worker0 job0-1360
3⤵
- Modifies extensions of user files
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-215-0x0000000000000000-mapping.dmp

Download
memory/1360-234-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1360-354-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2584-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-127-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2584-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2584-218-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3328-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-175-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3328-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3328-220-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4444-301-0x0000000000000000-mapping.dmp

Download
memory/4444-349-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4444-352-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download