darkside | 516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b

Resubmissions

27/01/2024, 19:37

240127-yb9zasafd8 10

27/01/2024, 19:36

240127-ybp9wsafb7 10

01/05/2021, 01:07

210501-shjstql5m2 10

Analysis

max time kernel
86s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
27/01/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Size

56KB
MD5

84c1567969b86089cc33dccf41562bcd
SHA1

53f2133cb25186e9fa6d4ea3b0e41eee5aba5ef2
SHA256

516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b
SHA512

72a411cacd503b6fadb15dc90f1f9beb79ff79c620df76da381e5c780c53e11258aae72db2848c241ec55af403d67d62340e429e86c23bbf8a71287738de7eaa
SSDEEP

768:AiN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy81XweyetnR9Wsf5AyT9G3kZ:r4HHerjZX7pLken5nWXWi

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\README.9b45ae0c.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 500GB data. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I When you open our website, put the following data in the input form: Key: I3tBdXvJ3pOvnhgmupZAJ7BpD5IVUftr7deEdtoxwK0QcbZciUXfs5ChjD0Yj8H2wUXfctFHYShVQHWhwi1CBDRQVPgXqnCgVRQql7B1tS8Q6TSdHq5o0UxOaDrdKCoMCdrMZiw0RTbfpDpuRwLI52rP5YaqZx492wErocN9C7PE6eFQEcqwqiFNA1FwVD3fogTJqOdTJI84FnlCBuRd1ippdTk8y2x16ukfPvVHi4MhyU8i4K1Q25a7wXQUPXhIffgZBnTimLzalSGyaI3f2MlQeYbpFG2o4nfnZCHDMAZAUY6CaiR0eAYVEvesreMmimT1EOyGYjNVtGHrJYXuRI4tYZIVlsHm6Ord42NV9s9PftLGkO8NBScZ9dBTNtz0xw9tpgu8GegVTlMesg6xkUAQWJcy6MNt9nJ7lHydpu27bA1GL8MX8lWAldnClSoUrDYRc8RAZ1oUfMfbtmvMDBGVENh8kMUYaxOt7hD1HxKFn0p5XcCDzWRSWkKUTtt7C6OiIpNOUAYYJ3UvC5S3uoXmt4iokkGq1SSMnr7sXmnekmh9oNwJgh7 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://dark24vx6fsmdrtbzdzjv6ckz4yqyued4uz455oqpctko7m6vbrzibad.onion/XES2TUV3A9QL89IS7QX91V7TYSF13ASPGB2TASQ68R9Z6QYH69OVY833QSRSFU4I

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\71DC818AAEA1211A26ACC273B35C74BA	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\9b45ae0c.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Control Panel\Desktop	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Control Panel\Desktop\WallpaperStyle = "10"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 6da40bf31ba834d69ca1093af9c739c26ef7dda8445f8a79a76478ec6795de1f	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7b252a5f4f5ab10ce9bdf1d65ef8d8d733b0faa700f9707c4d1252997fb3dfac	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 69b3500b9b54ae3a471438650b7f21ca4ab5558984c0095a8b84ee4e91605f61	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = e2873d2aad376a56dd2109cfafd39dd0bb1dfad0da06d31ced0dd89146c62fa5	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 380d00002b11a5365851da01	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\9b45ae0c.BMP"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 89fd6d9109a1e8bfa4b0fdf2a914d7e6f2c658ee1a2830fc0cb4025a9546f951	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d002e0062006c00660000000000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 72e2f81ed9705345e0873cfb6c1f3308a17209f640bed954c3c5175e4d27e4ef	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 70aefb39b6f72a39aadd2e53cdf613c9fc4a48504415d4dcdf20efd684214ce4	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7b8643d7cd43cfd767b166f9fe68891207181816cebf336e91db0bca2e96796f	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 1d7822467ebae1c02651bcc20d11482eb40e830efb38c2418ffe0320a4353104	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 6ae026b40824e7662f16624003f5e7697b621aa2fdee2ef7fcef416d87076200	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.9b45ae0c	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.9b45ae0c\ = "9b45ae0c"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\9b45ae0c\DefaultIcon	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\9b45ae0c	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\9b45ae0c\DefaultIcon\ = "C:\\ProgramData\\9b45ae0c.ico"	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
3384	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3892	vssvc.exe
Token: SeRestorePrivilege	3892	vssvc.exe
Token: SeAuditPrivilege	3892	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2892	4280	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	77
PID 4280 wrote to memory of 2892	4280	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	77
PID 4280 wrote to memory of 2892	4280	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	77
PID 4280 wrote to memory of 2892	4280	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	77
PID 2892 wrote to memory of 3384	2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	82
PID 2892 wrote to memory of 3384	2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	82
PID 2892 wrote to memory of 3384	2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	82
PID 2892 wrote to memory of 4884	2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	83
PID 2892 wrote to memory of 4884	2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	83
PID 2892 wrote to memory of 4884	2892	516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
"C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
  "C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe"
  2⤵
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
    C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker0 job0-2892
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
    C:\Users\Admin\AppData\Local\Temp\516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe -work worker1 job1-2892
    3⤵
    - Enumerates connected drives
    PID:4884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.9b45ae0c.TXT

Filesize
2KB

MD5
cc9673216d53012c400856b86968c4a2

SHA1
80945bfdc6f2b30fd7b47e92ae762ab4ad792659

SHA256
5dfc11166e6b0e978aa5b95aaf2a51733033379b7e7980f5fa1d42b6333cf9e0

SHA512
f556026b31927923f385325adb493934e45750f401bf4787a0f0602f8309f520c967da72b9924f1872895718a5376eb8c433084496f5903670ad1e1d47cc4266

Download Submit