Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 15:43
Behavioral task
behavioral1
Sample
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe
-
Size
197KB
-
MD5
d448393d4c47c1f251bd4bd57aec126a
-
SHA1
f025fd3136d93bddb0cd69cb4241846d959a7ad1
-
SHA256
32cf89ca7cccc410ca4ad9bc58e22fe8920131687ef2a0d9f61d215c9d50d661
-
SHA512
35e38476ea52df05fc995be3a73d3f0d0b0c00bf90c113aa08fe357e4e4d78f33abe2512cd854bd72c0e63b305a84e6c5ab48cd6e16cfb533b334b02c53f284a
-
SSDEEP
3072:S6glyuxE4GsUPnliByocWepUojzdzbJEmMcZmyaFYdaEA8BT/j:S6gDBGpvEByocWeOMdnuY0Qn
Malware Config
Extracted
C:\CeP8Gfyd2.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
704F.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation 704F.tmp -
Deletes itself 1 IoCs
Processes:
704F.tmppid Process 3236 704F.tmp -
Executes dropped EXE 1 IoCs
Processes:
704F.tmppid Process 3236 704F.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-910440534-423636034-2318342392-1000\desktop.ini 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-910440534-423636034-2318342392-1000\desktop.ini 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPs_vhy6vuhfndvdr60a650z4zc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPankqbwb0q7yulvi3u90ixt0j.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPx2w1eqtj56w34_a2atnb5y4ed.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\CeP8Gfyd2.bmp" 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\CeP8Gfyd2.bmp" 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe704F.tmppid Process 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 3236 704F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CeP8Gfyd2\ = "CeP8Gfyd2" 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CeP8Gfyd2\DefaultIcon 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CeP8Gfyd2 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CeP8Gfyd2\DefaultIcon\ = "C:\\ProgramData\\CeP8Gfyd2.ico" 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CeP8Gfyd2 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exepid Process 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
704F.tmppid Process 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp 3236 704F.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeDebugPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: 36 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeImpersonatePrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeIncBasePriorityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeIncreaseQuotaPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: 33 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeManageVolumePrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeProfSingleProcessPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeRestorePrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSystemProfilePrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeTakeOwnershipPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeShutdownPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeDebugPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeBackupPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe Token: SeSecurityPrivilege 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE 1404 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exeprintfilterpipelinesvc.exe704F.tmpdescription pid Process procid_target PID 4972 wrote to memory of 1856 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 89 PID 4972 wrote to memory of 1856 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 89 PID 4748 wrote to memory of 1404 4748 printfilterpipelinesvc.exe 92 PID 4748 wrote to memory of 1404 4748 printfilterpipelinesvc.exe 92 PID 4972 wrote to memory of 3236 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 93 PID 4972 wrote to memory of 3236 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 93 PID 4972 wrote to memory of 3236 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 93 PID 4972 wrote to memory of 3236 4972 2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe 93 PID 3236 wrote to memory of 816 3236 704F.tmp 95 PID 3236 wrote to memory of 816 3236 704F.tmp 95 PID 3236 wrote to memory of 816 3236 704F.tmp 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-21_d448393d4c47c1f251bd4bd57aec126a_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1856
-
-
C:\ProgramData\704F.tmp"C:\ProgramData\704F.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\704F.tmp >> NUL3⤵PID:816
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1868
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{D3A977C4-F8BE-4512-A9B7-B9189478441C}.xps" 1335300383350900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD544c1d38eacf30d6b366e0660b12a9479
SHA1a3ae6275229d43c47bc0d9c9451c31b0197f01e7
SHA25678755ace17f9a626dfd594c0f6fdfdd037d7542b397b6362c64c95d5ca26982e
SHA5120126d68ad7a63ba90c4e4a60e2f7f48552f945579f9896a30186d00b2e55c4dbfacefd7ef3e0afc3b1ff7c484511120c6582d950bc5a25e6d7f6a9cc7e5c1826
-
Filesize
6KB
MD519ddc417bcd3edda0a7de1035d36d0b4
SHA11ac89a381a69c67194c98c2160abc4b02a7c9875
SHA2567e7a3ed1d790f0a3e84c94be0c2b998921b3003d04955803d8a1c5528a769931
SHA5121ec660d4bad7c8159c7b3eb4b186fb233a64a828db123616cb61da7877982e8aad387ec82274c00d5a1f0cc82a86a422d583bf6d25918749303cade02d7219d6
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
197KB
MD58df727b189a17b3752f16ac4971b0281
SHA170c836229659b3f6660ca3610dde38dc982093eb
SHA256c06c2b9b05e5bc684c28eb910dcb26d4e2fe320af3271a31b238f63e0d54eef0
SHA5129b6b743c014e64a95dd687370c74ebbf40ddd8085213a7ad977a9dadec7ad0a4ac32a82555f37a8ed801ff52f4f8c8fce715b38708bc5a3110bbefa28fe07675
-
Filesize
4KB
MD507724ce1509ee0e6e853545d3eef6764
SHA1ccbf1593d0968bc57b43f623a4a394ca8714a863
SHA25684224e99df2481372529b8e133d6be251f7512b4193d8307774758a34ff065b1
SHA512ee4c67785c818a4457a75e29cd48258d1962916f80df82cdf853dcc130c35e3f8448414f0c3704e77d9527c6662dbc41b14ee113fc3b649a66a85efbce59f9f8
-
Filesize
129B
MD5428be0de0603be47d5d0185fac2b54f0
SHA1d19433ca30d665a7c73b6b478d51129f5fb59d63
SHA2560271c4ff6e0bc230a1e0401de3d322b8e99604c08690e0cb31beb2485a202e50
SHA512239522fd36839c666be7e13487717e947826eb9685eab34459bd84d9057ead38f5fb598813aab1f7419f86e97b5c10136ae78f289a0940eb4e0196966e03461d