Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 02:40
Behavioral task
behavioral1
Sample
2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe
-
Size
153KB
-
MD5
aab7e6cfae95a4eae23a4db81841421c
-
SHA1
a1fe8e62f1a39b8772772224641c3842a79747b5
-
SHA256
ba0eefdfbd1421d37d47f3feaae8e768a4679d6b544bb97f5237319e8ab0b122
-
SHA512
01395cf60bf40f400e0f5bb93f22db45a9ebbe7f7d99ac7df4da340d5e2b10ce65c7da0e59d71e7bd5b1d46aabc82b0dcbd2358d73370201d9517aad30e66977
-
SSDEEP
3072:jqJogYkcSNm9V7Da2WTcOAil3jtxC2MT:jq2kc4m9tD+Ndjzj
Malware Config
Extracted
C:\j3ncKbrq7.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\PushRestart.png => C:\Users\Admin\Pictures\PushRestart.png.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File renamed C:\Users\Admin\Pictures\SwitchRestart.raw => C:\Users\Admin\Pictures\SwitchRestart.raw.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File renamed C:\Users\Admin\Pictures\RemoveCheckpoint.tif => C:\Users\Admin\Pictures\RemoveCheckpoint.tif.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File opened for modification C:\Users\Admin\Pictures\RemoveCheckpoint.tif.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File opened for modification C:\Users\Admin\Pictures\BackupWrite.tiff 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File renamed C:\Users\Admin\Pictures\BackupWrite.tiff => C:\Users\Admin\Pictures\BackupWrite.tiff.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File opened for modification C:\Users\Admin\Pictures\BackupWrite.tiff.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File renamed C:\Users\Admin\Pictures\InstallPing.raw => C:\Users\Admin\Pictures\InstallPing.raw.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File opened for modification C:\Users\Admin\Pictures\InstallPing.raw.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File opened for modification C:\Users\Admin\Pictures\PushRestart.png.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe File opened for modification C:\Users\Admin\Pictures\SwitchRestart.raw.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation DB0F.tmp -
Executes dropped EXE 1 IoCs
pid Process 2408 DB0F.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\desktop.ini 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPkc0wiaf8z1iiefzpr1vtt5ptc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPwxs2qx03v3z7007h260qd4muc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP5nf3jex6ntgjcapu99cocvr_d.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\j3ncKbrq7.bmp" 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\j3ncKbrq7.bmp" 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2408 DB0F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallpaperStyle = "10" 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.j3ncKbrq7\ = "j3ncKbrq7" 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j3ncKbrq7\DefaultIcon 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\j3ncKbrq7 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\j3ncKbrq7\DefaultIcon\ = "C:\\ProgramData\\j3ncKbrq7.ico" 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 4836 ONENOTE.EXE 4836 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp 2408 DB0F.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeDebugPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: 36 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeImpersonatePrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeIncBasePriorityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeIncreaseQuotaPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: 33 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeManageVolumePrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeProfSingleProcessPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeRestorePrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSystemProfilePrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeTakeOwnershipPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeShutdownPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeDebugPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeBackupPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe Token: SeSecurityPrivilege 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE 4836 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4964 wrote to memory of 2580 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 86 PID 4964 wrote to memory of 2580 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 86 PID 4932 wrote to memory of 4836 4932 printfilterpipelinesvc.exe 89 PID 4932 wrote to memory of 4836 4932 printfilterpipelinesvc.exe 89 PID 4964 wrote to memory of 2408 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 90 PID 4964 wrote to memory of 2408 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 90 PID 4964 wrote to memory of 2408 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 90 PID 4964 wrote to memory of 2408 4964 2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe 90 PID 2408 wrote to memory of 1240 2408 DB0F.tmp 92 PID 2408 wrote to memory of 1240 2408 DB0F.tmp 92 PID 2408 wrote to memory of 1240 2408 DB0F.tmp 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2023-05-30_aab7e6cfae95a4eae23a4db81841421c_darkside.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2580
-
-
C:\ProgramData\DB0F.tmp"C:\ProgramData\DB0F.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DB0F.tmp >> NUL3⤵PID:1240
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1348
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3ED4788A-4B80-48B8-8C32-17E8E7E2F382}.xps" 1333006809284900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4836
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
129B
MD5b22eb766aeeb5dcebc7335f6bac2d5ca
SHA1d5a168d4c804cfcc0f1c7fc7f90115f4e39827c0
SHA256b408d8ca6c62b68d858e936b5a93c209728949c498c420bcb6fcf2630e4f0e58
SHA5126e1691a1e6bcaf8b40389eccc16194c1559b45f7a4546ed03441550d26a1e152a114ae834d4655eb124f191e28355be2cbb2e5ab2ce3ad2155d973500fc49690
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
153KB
MD59fb81607573f539003d2e687af95a8cf
SHA178c6d64b1bdc0dc0fa0e431d2e183924bfcbbc78
SHA256977d168b173e1c470b3d0444c5008b8702feea628c6a2f0eef2066d38ac56c08
SHA5124f67d517b7b94fe224eec930c7c45468899f008cb68a9b6b6835cff48e2ada6262f80726ff73d0e53a1be5e58b1b4910d78c4345379e9de7c6067821b0723ca3
-
Filesize
4KB
MD5afc5e09e875c5bddddfae291faaa3a74
SHA1c62ea2f28f53850f938f3977fb4ae9771788268c
SHA256fe107ac53e8a2a9353a6ae303670ea49a868face5cf6549849caae132d57458c
SHA512e702a89162f9390134862d0767ace0d32672cbb317c17484c073f892c366c82afce81cb2f5a0d61b436fb1dc29af9cb8b426110e1c9ffc2f609324f9a7c6a733
-
Filesize
4KB
MD5230cfee66a971775027571760e698339
SHA16e3037b3680e6d558ce20cb46468e80b8f1c2d63
SHA256f796bb52954458191df01dc119566e4deebac3d133f9b7cdda660a197838e7ec
SHA51285bcd2eda0f9c2723ee18a18d8a06e99cfff5e897ff058239bcf949e6197e610389c333c5bc8b5fdc41d2f155da5b4c11086342f2607a286f6a224111582dca7
-
Filesize
6KB
MD58a48dbba8177a82ab2d5aa8472514ca8
SHA1a242dbfbc6d5db820001e9c1f5a69c428b716288
SHA256b74bab3278d296dab3eeb87e4591e87dd18f56b93b0521a11e1550c707aaac82
SHA512c1d1d3a5febfcba49a9a65f187667b88bbf74e5ce2998326f712f759c64fe9a8e839f4814156f0b504316c94567bdc404844b60dab1963d398e1de01476ce347