Analysis
-
max time kernel
121s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 02:42
Behavioral task
behavioral1
Sample
2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe
-
Size
147KB
-
MD5
771fb2b4bcf212a71d0c680ff7fa7cad
-
SHA1
d7134a9c7fb926f02406a34c8392b081721f394b
-
SHA256
9aa5bcee06109d52fade97ad21317ff951abc656ba4c800441bacfec00328fd8
-
SHA512
e7b2dcfbca38bc4291eba0e7ef8af5d41daa8b3478e011e14cc1e8382ca5918da283bde22e454f8aa888da0ed590edae934c8b3a04ea7b1495bd4f2c5b08b210
-
SSDEEP
1536:ezICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDJFn1LhZp9jbQxh7HR/Bkb7H+TT:FqJogYkcSNm9V7Df1hbSx9Hleb0T
Malware Config
Extracted
C:\sgYFnWPUw.README.txt
Signatures
-
Renames multiple (620) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\DenyCompress.crw.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\DisableApprove.tif.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\FormatClose.tiff => C:\Users\Admin\Pictures\FormatClose.tiff.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\RestorePush.png => C:\Users\Admin\Pictures\RestorePush.png.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\BlockClear.png => C:\Users\Admin\Pictures\BlockClear.png.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\CompareReset.tiff => C:\Users\Admin\Pictures\CompareReset.tiff.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\FormatClose.tiff.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\SaveWatch.png.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\BackupApprove.tif => C:\Users\Admin\Pictures\BackupApprove.tif.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\BlockClear.png.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\CompareReset.tiff 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\DisableApprove.tif => C:\Users\Admin\Pictures\DisableApprove.tif.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\FormatClose.tiff 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\RestorePush.png.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\BackupApprove.tif.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File opened for modification C:\Users\Admin\Pictures\CompareReset.tiff.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\DenyCompress.crw => C:\Users\Admin\Pictures\DenyCompress.crw.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe File renamed C:\Users\Admin\Pictures\SaveWatch.png => C:\Users\Admin\Pictures\SaveWatch.png.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation 3809.tmp -
Executes dropped EXE 1 IoCs
pid Process 2216 3809.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2548970870-3691742953-3895070203-1000\desktop.ini 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPzizct7p0vw80b3s4lkv5sdeab.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPgg64il3h9uae_0sk0k4kl9pid.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPdft1nincwatvxnods6nx0fttc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sgYFnWPUw.bmp" 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sgYFnWPUw.bmp" 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2216 3809.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\WallpaperStyle = "10" 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sgYFnWPUw\ = "sgYFnWPUw" 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sgYFnWPUw\DefaultIcon 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sgYFnWPUw 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sgYFnWPUw\DefaultIcon\ = "C:\\ProgramData\\sgYFnWPUw.ico" 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 632 ONENOTE.EXE 632 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp 2216 3809.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeDebugPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: 36 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeImpersonatePrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeIncBasePriorityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeIncreaseQuotaPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: 33 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeManageVolumePrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeProfSingleProcessPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeRestorePrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSystemProfilePrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeTakeOwnershipPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeShutdownPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeDebugPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4056 vssvc.exe Token: SeRestorePrivilege 4056 vssvc.exe Token: SeAuditPrivilege 4056 vssvc.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeSecurityPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe Token: SeBackupPrivilege 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE 632 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4824 wrote to memory of 984 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 94 PID 4824 wrote to memory of 984 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 94 PID 4824 wrote to memory of 2216 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 97 PID 4824 wrote to memory of 2216 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 97 PID 4824 wrote to memory of 2216 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 97 PID 4824 wrote to memory of 2216 4824 2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe 97 PID 488 wrote to memory of 632 488 printfilterpipelinesvc.exe 98 PID 488 wrote to memory of 632 488 printfilterpipelinesvc.exe 98 PID 2216 wrote to memory of 748 2216 3809.tmp 99 PID 2216 wrote to memory of 748 2216 3809.tmp 99 PID 2216 wrote to memory of 748 2216 3809.tmp 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2023-05-31_771fb2b4bcf212a71d0c680ff7fa7cad_darkside.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:984
-
-
C:\ProgramData\3809.tmp"C:\ProgramData\3809.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3809.tmp >> NUL3⤵PID:748
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2688
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7405A335-5BCB-48E5-85CE-32DF017F4331}.xps" 1333006819658500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
129B
MD5f15cc94dd4cbca1931c345cb83b7d831
SHA1318ea91777873aee10d7df0c470772459a089b56
SHA256b9e33758e7468ee84d2fcb7922ec730edf672f8bea380799035b1b1d2c4f1560
SHA512a44ae02d40989125c3701ba8a850505539f728a1034fe92ea0b9dfe446fb07f4439ed8adf67b5115b083f9bccac829640d1885921bd9fb5f3a43aed33aef63b1
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD5d569a07843afe7579c2ff7b63fcc4f4b
SHA1b779612e48948d794573480cdaca0ede4b76587b
SHA25637e8dee263b3d47de86a774410306973a0ecc3b789dc51af4f04e238b52869aa
SHA51289a9792154e1f97ebea21713589d91569bc2e1cf21ee19774201e798e8b77c47e61c056472dc2f14c3ea1884c87fe9f8dbea310c6e363014c412643780651c9a
-
Filesize
4KB
MD5884520669b6aa8a88b2bde4e92dfb7df
SHA17a9fb2cd1d875d0503c5fe187d0afca70bc64a68
SHA256116fba15114f313c3ce09dbe7ae5daab4b142d121b2c47b38d6ab73ccc2d6344
SHA5123beec83c9f52f059d3a1c93acc5ea833d213e0aa01a39e89d6384c37270f69e9797fd9fc3986ba311a9a1f6af4621ea4bdb226d2ef11e6d1d402fb0dbbef7c9c
-
Filesize
1KB
MD5f7c5fec70861a68f1ab3f4acc0c91050
SHA1c50ec3d8d9172ee48a3df276b7e76c3827a79d80
SHA2560213a0582f4e97ea10c4276c63eab9f4a0c81c158ca977022e1d6d1caff78625
SHA512ef891238863ad729b028de5c1d1a59a51bdcb64d19321879dbfb70d13b1f4e2985c0c760f9f7da92923499adc5e3612e87377fd07da747b53cfae307db9f8dc2