Analysis Overview
SHA256
bc6a1e3bee0aadbdd1a7132bbd8a56ceb559a479a3f521a56738e146be999f96
Threat Level: Known bad
The file 24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
BlackMatter Ransomware
Renames multiple (167) files with added filename extension
Renames multiple (152) files with added filename extension
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Modifies Control Panel
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-18 13:06
Signatures
Blackmatter family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-18 13:06
Reported
2023-08-18 13:09
Platform
win10v2004-20230703-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
BlackMatter Ransomware
Renames multiple (167) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\yXYWCAgWd.bmp" | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\yXYWCAgWd.bmp" | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe
"C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:80 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
| US | 8.8.8.8:53 | 180.136.102.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.163.64.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| DE | 3.64.163.50:80 | nowautomation.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
Files
memory/116-134-0x0000000002E60000-0x0000000002E70000-memory.dmp
memory/116-133-0x0000000002E60000-0x0000000002E70000-memory.dmp
F:\yXYWCAgWd.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-18 13:06
Reported
2023-08-18 13:09
Platform
win7-20230712-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
BlackMatter Ransomware
Renames multiple (152) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ctFsubls0.bmp" | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ctFsubls0.bmp" | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\splwow64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\splwow64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Windows\splwow64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_Classes\Local Settings | C:\Windows\splwow64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\splwow64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\splwow64.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\splwow64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\splwow64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe
"C:\Users\Admin\AppData\Local\Temp\24e77cdf989fe275ee1a32971d9df69e_darkside_JC.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\ctFsubls0.README.txt
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:80 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | nowautomation.com | udp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.70:80 | apps.identrust.com | tcp |
| DE | 3.64.163.50:80 | nowautomation.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| US | 34.102.136.180:443 | mojobiden.com | tcp |
| DE | 3.64.163.50:443 | nowautomation.com | tcp |
Files
memory/2020-54-0x0000000000120000-0x0000000000160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7DAA.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar7E49.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdb4fbd2657475214a9a32d260381d36 |
| SHA1 | 678795b0611a33226f3529619cc05be6b16e317f |
| SHA256 | ee8d098deb1a81799de86a46156eb89251a3f880373fc94429cbc3135b1e5ff8 |
| SHA512 | 30e868391b8339f3321484c2f4ac698bcdf6e5071fdddc548da5e0d230b91014522d31ded8dc3ce43c2fc7c89a6c1bcf61f2c423599555f5cce8dc5260343296 |
C:\ctFsubls0.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |
C:\ctFsubls0.README.txt
| MD5 | 2a2ac841d6b7515f4b1021b92cc5f072 |
| SHA1 | e48a7a2be20b978f71a92f12ada328bcfd0b89c6 |
| SHA256 | 9a59566d9ef3bab7faf9abc23f25aa19218d5afa2a910144acd011a78521377e |
| SHA512 | a7944a10f2721db3dbdf5c36e80aae057c5fc8e2aab22a8d50c4d4e6436a7e22313257dd934961db1fa5e506c39ca23600c9d3e96a463221c13b54651bd47579 |
memory/2760-372-0x0000000004260000-0x0000000004261000-memory.dmp
memory/2760-373-0x0000000004350000-0x0000000004360000-memory.dmp
memory/2760-374-0x0000000004260000-0x0000000004261000-memory.dmp