Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 02:40
Behavioral task
behavioral1
Sample
2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe
-
Size
153KB
-
MD5
bb78df384ff1d296d1f0b59803df89b3
-
SHA1
39c9235f96cf39a24c9907ac9ff5ab58de837bac
-
SHA256
239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390
-
SHA512
b682f26d3baf33ab2f11036f1c0461c1c022d8073989db5f6cfaaa84655bc46d8fa0dac7b1842c74c69d7ad640c9d390dec946cfa8dd08efd240886e816a3288
-
SSDEEP
3072:5qJogYkcSNm9V7DvjFHHjHLuHk7XHURLPGwAcT:5q2kc4m9tDFfXkuwA
Malware Config
Extracted
C:\Tvks1ukoO.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (602) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\FindUnblock.tiff => C:\Users\Admin\Pictures\FindUnblock.tiff.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\ResumeCompare.tiff.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\FindUnblock.tiff 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File renamed C:\Users\Admin\Pictures\UnpublishAdd.png => C:\Users\Admin\Pictures\UnpublishAdd.png.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\SelectEnable.crw.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\PopWait.crw.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File renamed C:\Users\Admin\Pictures\ResumeCompare.tiff => C:\Users\Admin\Pictures\ResumeCompare.tiff.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File renamed C:\Users\Admin\Pictures\SelectEnable.crw => C:\Users\Admin\Pictures\SelectEnable.crw.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\UnpublishAdd.png.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\ImportMeasure.crw.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\ExportBlock.tif.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\FindUnblock.tiff.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File renamed C:\Users\Admin\Pictures\ImportMeasure.crw => C:\Users\Admin\Pictures\ImportMeasure.crw.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File renamed C:\Users\Admin\Pictures\PopWait.crw => C:\Users\Admin\Pictures\PopWait.crw.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File opened for modification C:\Users\Admin\Pictures\ResumeCompare.tiff 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe File renamed C:\Users\Admin\Pictures\ExportBlock.tif => C:\Users\Admin\Pictures\ExportBlock.tif.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation BA77.tmp -
Executes dropped EXE 1 IoCs
pid Process 5280 BA77.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPuen_bp03y3x1qo9e2_v5m70l.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPygcnbx_tch2k078s_xd0man5.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP6zxj57bs0ups2tsqs6wctcc4b.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Tvks1ukoO.bmp" 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Tvks1ukoO.bmp" 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5280 BA77.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon\ = "C:\\ProgramData\\Tvks1ukoO.ico" 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO\ = "Tvks1ukoO" 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 5192 ONENOTE.EXE 5192 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp 5280 BA77.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeDebugPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: 36 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeImpersonatePrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeIncBasePriorityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeIncreaseQuotaPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: 33 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeManageVolumePrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeProfSingleProcessPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeRestorePrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSystemProfilePrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeTakeOwnershipPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeShutdownPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeDebugPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 5116 vssvc.exe Token: SeRestorePrivilege 5116 vssvc.exe Token: SeAuditPrivilege 5116 vssvc.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeSecurityPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe Token: SeBackupPrivilege 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE 5192 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2860 wrote to memory of 4644 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 94 PID 2860 wrote to memory of 4644 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 94 PID 4948 wrote to memory of 5192 4948 printfilterpipelinesvc.exe 97 PID 4948 wrote to memory of 5192 4948 printfilterpipelinesvc.exe 97 PID 2860 wrote to memory of 5280 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 98 PID 2860 wrote to memory of 5280 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 98 PID 2860 wrote to memory of 5280 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 98 PID 2860 wrote to memory of 5280 2860 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe 98 PID 5280 wrote to memory of 5488 5280 BA77.tmp 99 PID 5280 wrote to memory of 5488 5280 BA77.tmp 99 PID 5280 wrote to memory of 5488 5280 BA77.tmp 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4644
-
-
C:\ProgramData\BA77.tmp"C:\ProgramData\BA77.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BA77.tmp >> NUL3⤵PID:5488
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:636
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{468C8BC1-2846-4EA9-9F59-8FF89F8B7F0F}.xps" 1333006809619100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5192
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
129B
MD5fa2092442e16a3407a719af8a2f2820d
SHA1d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA25637322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
6KB
MD516f0a86ec58d694866f7b3ddb81cedd2
SHA184c086d91c53287c2aeeb656dc260725713ee1b6
SHA256fde4488022e679fcc435764eff8b56931caf2bdefc92a8b8f12fedcf0bfe2636
SHA51267a1ff2f13d96919941900e160689a4424a2009b3cd7997ac7a458c9cb09f2b9cdd889fddf078a1f28edf225c11bfe306c3310772496ece35b22c89d7d77f200
-
Filesize
153KB
MD561c154d38fc8844492626c324a0c9478
SHA148c396e77a49a13da334965330d1b1f27ac8d1f9
SHA2568d267a7178799ce2b62a231f351979cd90e9dbe430a35e4f36c33282e3fbc63d
SHA5123bbfbcb50e9b977b46317b46069094534a38360f0ca12c85eb2e53d488dfc969adf14b01fdaafdd1f5d0150b6f5a279da5d7266c7dc1005360bb88c69428ee9f
-
Filesize
4KB
MD59658e085bb5c7c3ef80bf4b5a1f84fa1
SHA13ebb85e9da947167f857e69005eb2f3288085b47
SHA25678d9d513ae1b07c23fb03ed3ed4e39a80579601513108b34391a561b2889c049
SHA512eca2aa7b0b7288a6f5fc1ff007eb114b565730ad1e8be7313a4b367f10822ecb7a4d55f3ffa2d48be840dbe9c892703e5725b8015928e42dddcf9ac058eb1e2c
-
Filesize
4KB
MD5f31a26d5ae10b5c9978b2288e02499a8
SHA16d0e91db1c460611576d0d497852266ba565824b
SHA2569940374850ce0381f0738ec1361556efaef50071085b397200598761b1b931cc
SHA5122f233e75c81428c73a1d2c8797558c4fd55eb1cc69b88679b30f4d8ba6156ea78aea8909f6f8cbff9c2ea9de3bdd7e81b8ecc02c967a48e5d7e8b14547935190