Malware Analysis Report

2024-10-16 03:21

Sample ID 230818-qck3kahf92
Target 24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe
SHA256 bc6a1e3bee0aadbdd1a7132bbd8a56ceb559a479a3f521a56738e146be999f96
Tags
blackmatter ransomware d58b3b69acc48f82eaa82076f97763d4
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc6a1e3bee0aadbdd1a7132bbd8a56ceb559a479a3f521a56738e146be999f96

Threat Level: Known bad

The file 24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe was found to be: Known bad.

Malicious Activity Summary

blackmatter ransomware d58b3b69acc48f82eaa82076f97763d4

Blackmatter family

BlackMatter Ransomware

Renames multiple (167) files with added filename extension

Renames multiple (152) files with added filename extension

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Modifies Control Panel

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-18 13:06

Signatures

Blackmatter family

blackmatter

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-18 13:06

Reported

2023-08-18 13:09

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (167) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\yXYWCAgWd.bmp" C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\yXYWCAgWd.bmp" C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe

"C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 mojobiden.com udp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:80 mojobiden.com tcp
US 8.8.8.8:53 nowautomation.com udp
DE 3.64.163.50:443 nowautomation.com tcp
US 8.8.8.8:53 180.136.102.34.in-addr.arpa udp
US 8.8.8.8:53 50.163.64.3.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
DE 3.64.163.50:80 nowautomation.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
DE 3.64.163.50:443 nowautomation.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp

Files

memory/116-134-0x0000000002E60000-0x0000000002E70000-memory.dmp

memory/116-133-0x0000000002E60000-0x0000000002E70000-memory.dmp

F:\yXYWCAgWd.README.txt

MD5 2a2ac841d6b7515f4b1021b92cc5f072
SHA1 e48a7a2be20b978f71a92f12ada328bcfd0b89c6
SHA256 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e
SHA512 a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-18 13:06

Reported

2023-08-18 13:09

Platform

win7-20230712-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (152) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ctFsubls0.bmp" C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ctFsubls0.bmp" C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_Classes\Local Settings C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe

"C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p C:\ctFsubls0.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 mojobiden.com udp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:80 mojobiden.com tcp
US 8.8.8.8:53 nowautomation.com udp
DE 3.64.163.50:443 nowautomation.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
DE 3.64.163.50:80 nowautomation.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
US 34.102.136.180:443 mojobiden.com tcp
DE 3.64.163.50:443 nowautomation.com tcp

Files

memory/2020-54-0x0000000000120000-0x0000000000160000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7DAA.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar7E49.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdb4fbd2657475214a9a32d260381d36
SHA1 678795b0611a33226f3529619cc05be6b16e317f
SHA256 ee8d098deb1a81799de86a46156eb89251a3f880373fc94429cbc3135b1e5ff8
SHA512 30e868391b8339f3321484c2f4ac698bcdf6e5071fdddc548da5e0d230b91014522d31ded8dc3ce43c2fc7c89a6c1bcf61f2c423599555f5cce8dc5260343296

C:\ctFsubls0.README.txt

MD5 2a2ac841d6b7515f4b1021b92cc5f072
SHA1 e48a7a2be20b978f71a92f12ada328bcfd0b89c6
SHA256 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e
SHA512 a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

C:\ctFsubls0.README.txt

MD5 2a2ac841d6b7515f4b1021b92cc5f072
SHA1 e48a7a2be20b978f71a92f12ada328bcfd0b89c6
SHA256 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e
SHA512 a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579

memory/2760-372-0x0000000004260000-0x0000000004261000-memory.dmp

memory/2760-373-0x0000000004350000-0x0000000004360000-memory.dmp

memory/2760-374-0x0000000004260000-0x0000000004261000-memory.dmp