Malware Analysis Report

2024-11-30 11:41

Sample ID 240215-pkpkaaff7t
Target 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside
SHA256 6dd44d852226fd9e7fc914c6edbaf185bfcaacdc7a4dcdb7268440e6fc811618
Tags
ransomware spyware stealer lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dd44d852226fd9e7fc914c6edbaf185bfcaacdc7a4dcdb7268440e6fc811618

Threat Level: Known bad

The file 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (583) files with added filename extension

Renames multiple (348) files with added filename extension

Deletes itself

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 12:23

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 12:23

Reported

2024-02-15 12:26

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"

Signatures

Renames multiple (583) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\ProgramData\949B.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\949B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\949B.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP120l8sxk3gff0vu0f1lydbvod.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP46gxukoeldl35_twiuzj7y4n.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPuardaru3wvu4no8oqh3u8b5q.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\G3fEAZsSH.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\G3fEAZsSH.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon\ = "C:\\ProgramData\\G3fEAZsSH.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH\ = "G3fEAZsSH" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe C:\Windows\splwow64.exe
PID 4512 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe C:\Windows\splwow64.exe
PID 3368 wrote to memory of 4604 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3368 wrote to memory of 4604 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe C:\ProgramData\949B.tmp
PID 4512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe C:\ProgramData\949B.tmp
PID 4512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe C:\ProgramData\949B.tmp
PID 4512 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe C:\ProgramData\949B.tmp
PID 4952 wrote to memory of 2636 N/A C:\ProgramData\949B.tmp C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2636 N/A C:\ProgramData\949B.tmp C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2636 N/A C:\ProgramData\949B.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C959188E-3292-439D-AE95-C76F799F8C52}.xps" 133524734507240000

C:\ProgramData\949B.tmp

"C:\ProgramData\949B.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\949B.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4512-0-0x0000000003330000-0x0000000003340000-memory.dmp

memory/4512-1-0x0000000003330000-0x0000000003340000-memory.dmp

memory/4512-2-0x0000000003330000-0x0000000003340000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini

MD5 8d5f7adca59dfd6c8ecd7cb2d5721865
SHA1 febc9e9c0ce37866466e02cb43fc2a1916c1445b
SHA256 915524a825c6ab8148b67e2c35f5009a6d9dba8198c82f75f58f0960c48a01ab
SHA512 1ec78dc2a71307b461120c466a3efc803c31707edde6bc18adec76be4dc17effc9976a2ce360c934971c51b5e07d76ec113961b75f785c992270d7bcac2c117d

F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\EEEEEEEEEEE

MD5 8604f4612e9c09ca67f8d77ab18868d1
SHA1 64c4b3d7eb737915a8f249969b82ee6684b75302
SHA256 283e56a4311396c2f126cee7d4ebed0adee8041552c4286431032d439a650106
SHA512 e7c96be70a84966f7eeabb0a01edd0179cb28fe2935017323ad8c45d0df28534cf10decf6c4fa7567fee266657fd18505a93d5ff2f684cfea1af2e549633e16a

C:\G3fEAZsSH.README.txt

MD5 c27b4229efac6671942d30719e33225d
SHA1 dfc06ec8ae7e1047aedc4e9f8f0c9e83ad69c507
SHA256 ccb3796c65736cbb0e28cedc370b210f27dff6877cfb8cec85e75f151b48b630
SHA512 5cf85171e683a5982930b047dbfe3278d896b2f146863668620a990003e3467313006fc3e7a139d84f02537a11b42571b7dc958465df8b8caad2091174f992a0

memory/4512-2741-0x0000000003330000-0x0000000003340000-memory.dmp

memory/4512-2742-0x0000000003330000-0x0000000003340000-memory.dmp

memory/4512-2743-0x0000000003330000-0x0000000003340000-memory.dmp

memory/4604-2755-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

memory/4604-2756-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2758-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2757-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

memory/4604-2764-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

memory/4604-2763-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

C:\ProgramData\949B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4604-2765-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

memory/4604-2766-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

memory/4604-2767-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 71ba59ad49314d0c71a9bc76e1d4b02a
SHA1 33dbdbf0c6233904781d398c10752fa861c82624
SHA256 f57a130ceb40304d8b235322d0c9339d78722e1cb79a52ea6e14cffcdfeac1b6
SHA512 332be5d08cf2ab72427cb861a39faf1cd26a73ebea83e1f5017ce03018c03878985eedd389e88db5b5cae98863af7379652874c6b70f5f79780b03088cdfaab7

memory/4604-2772-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2797-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2798-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2799-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2800-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2801-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2802-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2804-0x00007FFBF5010000-0x00007FFBF5020000-memory.dmp

memory/4604-2805-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2803-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2806-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2807-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2809-0x00007FFBF5010000-0x00007FFBF5020000-memory.dmp

memory/4952-2812-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4952-2813-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/4952-2811-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/4604-2814-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4952-2810-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/4604-2808-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 463bb6a2246135694707ba3850d4cc33
SHA1 2ffa8a521e365ffd09ded14a2bf6c48841ccf928
SHA256 4cb38e5751fbcca30bdfa84ed41efd1161ff56580d740e9276aeb366134d7504
SHA512 8f9354650f860f51dabf350c371fd2fc81c3e348c10babd8c94514f0b5ad022fc7397d260e23f507ee91afa62e1049249a5a341443ea1ede71b5134002d5964c

memory/4604-2836-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4604-2837-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

memory/4952-2838-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/4604-2839-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 12:23

Reported

2024-02-15 12:26

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"

Signatures

Renames multiple (348) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\CC83.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\CC83.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\G3fEAZsSH.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\G3fEAZsSH.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH\ = "G3fEAZsSH" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon\ = "C:\\ProgramData\\G3fEAZsSH.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"

C:\ProgramData\CC83.tmp

"C:\ProgramData\CC83.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CC83.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2224-0-0x0000000000380000-0x00000000003C0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini

MD5 ba71b40da11cc3ebeebd5b611acc7ff1
SHA1 399a7221270a4e8677ff8a7e6dcf934a5de46d1a
SHA256 ece17e575a0d1c1b5747b4a44d87b47b254c52eda699db70a5602156e89a0f9a
SHA512 bf65b44c0283d79678e63998877f76476657e10fef9a7471201eda7dd595074371acecabdb8fef36a52c018fb3af9f71938def7442c46d08dfa55f3abb4e44e3

C:\G3fEAZsSH.README.txt

MD5 c27b4229efac6671942d30719e33225d
SHA1 dfc06ec8ae7e1047aedc4e9f8f0c9e83ad69c507
SHA256 ccb3796c65736cbb0e28cedc370b210f27dff6877cfb8cec85e75f151b48b630
SHA512 5cf85171e683a5982930b047dbfe3278d896b2f146863668620a990003e3467313006fc3e7a139d84f02537a11b42571b7dc958465df8b8caad2091174f992a0

F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\PPPPPPPPPPP

MD5 cc3a9142ca5235eb0f346e41857971a7
SHA1 45bc87b30bcde054e3c2564d4efdb49e235e4f01
SHA256 34193d45fc08159f577231235e09a9ccd3aae221875f9fdd186529d15cd7a8cf
SHA512 10becb2cd70305dea3d121cb1ab4b4efe332d3827cce60fbbfb06bfd675bc762bb9ce4ee20675147411edcd2f8b380133c3b70a40ae12d9e37d20e7940e86b3e

\ProgramData\CC83.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1544-866-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1544-868-0x0000000002080000-0x00000000020C0000-memory.dmp

memory/1544-871-0x0000000002080000-0x00000000020C0000-memory.dmp

memory/1544-873-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1544-874-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 f5136a84e0a9db7d29d498e4b6e64703
SHA1 78f8f6d8bf46d0b645c3f921a08ec77cd7a3093a
SHA256 2f925c0c719b010b7fd664c38da1881219c8ba1ab05ae800c4bf95253e864761
SHA512 552298994e6738e02a798c725a6e630b91bb7b8983210417d6c336e0bf54093da18588f8501a4c402971b4aa7aac6017530b2b5b788786853bc5fc8fcfca32d1

memory/1544-899-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1544-900-0x000000007EF60000-0x000000007EF61000-memory.dmp