Malware Analysis Report

2024-11-30 11:43

Sample ID 240223-3mhreace8x
Target 2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside
SHA256 110372c328433649abf49f1079ea0c6610770cf9b22e7f9dfd55144dffa21aa4
Tags
ransomware spyware stealer lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

110372c328433649abf49f1079ea0c6610770cf9b22e7f9dfd55144dffa21aa4

Threat Level: Known bad

The file 2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (346) files with added filename extension

Renames multiple (581) files with added filename extension

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 23:37

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 23:37

Reported

2024-02-23 23:40

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe"

Signatures

Renames multiple (346) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\7771.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7771.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\VFW6UbLgG.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\VFW6UbLgG.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VFW6UbLgG C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VFW6UbLgG\DefaultIcon\ = "C:\\ProgramData\\VFW6UbLgG.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.VFW6UbLgG C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VFW6UbLgG\ = "VFW6UbLgG" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VFW6UbLgG\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe"

C:\ProgramData\7771.tmp

"C:\ProgramData\7771.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7771.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

memory/2248-0-0x0000000000250000-0x0000000000290000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini

MD5 e5a08ef007f8692c753ef1475d2967bb
SHA1 5bb6a8461e54ccf47448377dd779d81621093c1e
SHA256 ef741c398c9c232b1b57f5713875975eec15f3df44772d3f75faf320aa3e30ab
SHA512 95f6baf1b49269c331b5c25c9c4f65772330b95f16d41709b60d50f0293dc9a74fd903376daaf6149c2b9a56e0bb588f478c8098218aac6d491178d8f7d71312

C:\VFW6UbLgG.README.txt

MD5 d013648a614da1c3fd78cee4bfeb6122
SHA1 ea379e5a278a475b673d7e64cba2f1f1d975f654
SHA256 b58b15d46682c620c2a389b351200690af750b0322c573d0685ced0539d33f40
SHA512 2377f95c04e7dab72807b3a734dde18ccc418c0db91dd7a9b0ebd913f554cb579dacd3ac78c3544964fd6970d2199f874156f7790ecc01022759c40868c81456

F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\DDDDDDDDDDD

MD5 979f8fb35466be3409a8ecbe8c16a7aa
SHA1 cba8573847d08c980ed1fcf41d5bd23c8e7cc608
SHA256 5d25bca31f1c91fea89933862f6ab97af6e99190e4aa016ceefeccbb7b5fbeac
SHA512 d7f6f6f910e8d3b72692208ff868fcc7bf07d15c6b9e523a1acc7a0d9d3387c83773b8d628e38ab9a6504a237c728983f5d941a81d47c2a648c06602df8f4167

\ProgramData\7771.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1472-864-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1472-866-0x0000000002110000-0x0000000002150000-memory.dmp

memory/1472-873-0x0000000002110000-0x0000000002150000-memory.dmp

memory/1472-875-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1472-876-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

MD5 ac1924239b7ea402a0e2e5c1c24874a0
SHA1 2f3596ef189233f3041a664dc958aa1b58a695c6
SHA256 fc2a07046b06c894e54d84e97d4eb23415d8a29faa185978c874da76deb685f7
SHA512 68ede10befc8528a0f86f60c90cfbd4437df0eee3cf149fbdf48ee35038876525c6edf5e70729b29754496e3c7cfbfb086f01ab0e8fca999a9a8e0b18504f9b5

memory/1472-897-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1472-898-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 23:37

Reported

2024-02-23 23:40

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe"

Signatures

Renames multiple (581) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation C:\ProgramData\3063.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\3063.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\3063.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP7at0qi7_oxmedcn4puxgjzbd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPg2a1lr629q0udn5xcmkkt2q9.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPei4pl4yc9grsz9511bnjd3i0.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\VFW6UbLgG.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\VFW6UbLgG.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.VFW6UbLgG\ = "VFW6UbLgG" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VFW6UbLgG\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VFW6UbLgG C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VFW6UbLgG\DefaultIcon\ = "C:\\ProgramData\\VFW6UbLgG.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.VFW6UbLgG C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe C:\Windows\splwow64.exe
PID 3760 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe C:\Windows\splwow64.exe
PID 1996 wrote to memory of 4944 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1996 wrote to memory of 4944 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3760 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe C:\ProgramData\3063.tmp
PID 3760 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe C:\ProgramData\3063.tmp
PID 3760 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe C:\ProgramData\3063.tmp
PID 3760 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe C:\ProgramData\3063.tmp
PID 3364 wrote to memory of 212 N/A C:\ProgramData\3063.tmp C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 212 N/A C:\ProgramData\3063.tmp C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 212 N/A C:\ProgramData\3063.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_ab1803812fbf7caf9c71d2794572d062_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{556A510D-64AD-475B-8D28-F513A0CF8C1F}.xps" 133532051093780000

C:\ProgramData\3063.tmp

"C:\ProgramData\3063.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3063.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3760-0-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/3760-1-0x00000000025F0000-0x0000000002600000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1414748551-1520717498-2956787782-1000\AAAAAAAAAAA

MD5 c9a5186c8714902c6e3e829e1ed2a977
SHA1 5a7a4612d648979e64155a2ed1fbc27335f29f3d
SHA256 ab132d270ec604dfeca7e1bcd2f59440e89700d7b348b104439ddf4fd173c585
SHA512 0f994994b4d55c8af13f7dfb859494dcb30d973aa7e00f18203918d01b3ae2834d5105835e293512eb8024dfc5e39c808af6edc9d192e393d0ae06f69527cbf8

F:\$RECYCLE.BIN\S-1-5-21-1414748551-1520717498-2956787782-1000\DDDDDDDDDDD

MD5 cd09e9b2a76fbadbd56cba92bd373b79
SHA1 d296db4144b595eb8a8b2e732c14bb7978f5f223
SHA256 caed7d1f7e51be410581633a4931172f76ecac4edf4d58e2a12e208a4a91abd0
SHA512 bd8b4460399cddd9a64763bb2e9f02a543b68660eda7cb6d94d235491b572c1f8de31e7c6c2256022a8a30716367a68d622761542539643144eacee940f64c0a

C:\VFW6UbLgG.README.txt

MD5 e9be5a0f0d9210e6811d3bcaebccd730
SHA1 3a2bb8ed9424a961e4ab31afbdd7281357714170
SHA256 22777a1e05a783810c2b9bd6bdb30037d10fa1c50e3faf1e3756833545f7bb39
SHA512 0df3b35767739ba0990df4172be3eef69c3c86c7df0ee119526dc19fa54478316aa63bc40b3e7d8cdcd9fadcd947475db4b96a9e01daed60a21a69957c96f766

memory/3760-2741-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/3760-2743-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/3760-2742-0x00000000025F0000-0x0000000002600000-memory.dmp

C:\ProgramData\3063.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4944-2758-0x00007FF935710000-0x00007FF935720000-memory.dmp

memory/4944-2760-0x00007FF935710000-0x00007FF935720000-memory.dmp

memory/4944-2761-0x00007FF935710000-0x00007FF935720000-memory.dmp

memory/4944-2791-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2769-0x00007FF935710000-0x00007FF935720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 873efab6ebfa51eeb8b8b7b06fbc0e25
SHA1 05a3997b77b089af027eed769b1bd1706b6ebd22
SHA256 ae95209417b415c95c111a0919c2c284444a6c40ffcd1f4da7425ebc8e43e9d8
SHA512 4d51f124f4cc8baaf3bb54d2093ed8c03cab35c92163d328735b01ca8d4dfaacd30952c14ef1ae67af32aa71c9e95ad43b13a27add5866c4e069e39b6093ee76

memory/4944-2793-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2792-0x00007FF935710000-0x00007FF935720000-memory.dmp

memory/4944-2794-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2795-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2796-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2798-0x00007FF932F40000-0x00007FF932F50000-memory.dmp

memory/4944-2799-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2797-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2802-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2801-0x00007FF932F40000-0x00007FF932F50000-memory.dmp

memory/4944-2803-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2800-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2804-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2805-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2806-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2807-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2808-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2809-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2810-0x00007FF975690000-0x00007FF975885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{D402165B-6EFE-42B3-BBEC-66C75ABBBEDF}

MD5 c09e9bf068f6f5a3c5940e35da82f302
SHA1 d2acbfbdbf7a67045e7852e37b7adbabb016f51b
SHA256 021fe9ecf97f331a4a6612dea58aa04dcd59f488510d3c784b895ef5a9437251
SHA512 a04e897dd55a698402e753b59594ef06db7c1f351b9f0f83c657ebe88f751db4a6b2d810848d95a8c5073dec03ec092856a26b8ffa88fd089137ce0373f98f6b

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 7b1feb90639f59d42cc721e03e4b87a6
SHA1 a91cae5078eeabfd3eb0ce8360cb06b864ff4c63
SHA256 20d90c88e22b5e6052a7fb1b86f0c27ed6998b784652334c122a61ff747a74e5
SHA512 a6e129952fd13c50b4c0a9fd6811643c8e4009a93b4a69750406646cbacdb2679cf291c9f0df23f1272f080a3867c2d8bdd2d3f4a16c165b8cd1c1d0cd96e250

memory/4944-2829-0x00007FF975690000-0x00007FF975885000-memory.dmp

memory/4944-2830-0x00007FF975690000-0x00007FF975885000-memory.dmp