Malware Analysis Report

2024-11-30 11:44

Sample ID 240223-b7msbahe8z
Target 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside
SHA256 a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0

Threat Level: Known bad

The file 2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (311) files with added filename extension

Renames multiple (591) files with added filename extension

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Control Panel

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 01:47

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 01:47

Reported

2024-02-23 01:49

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"

Signatures

Renames multiple (311) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\61BF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\61BF.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2zAdN8qob.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2zAdN8qob.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\61BF.tmp N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2zAdN8qob C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2zAdN8qob\ = "2zAdN8qob" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob\DefaultIcon\ = "C:\\ProgramData\\2zAdN8qob.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"

C:\ProgramData\61BF.tmp

"C:\ProgramData\61BF.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\61BF.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2212-0-0x00000000001C0000-0x0000000000200000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini

MD5 e77d37b790e6a4c2e55fec4f46d5c8c1
SHA1 27ec916543e1dc85f1ba86faa96d927d008d5b96
SHA256 1d3db89070d0a40177a107940b78c36de5b82caab7bba1d4f0b1bf6674e39df4
SHA512 1cff47b22998e04c6e778b0c84161e1d5e012aa30c8a07be4442471d601beb460820f46ef93b05f07d3130d432228f5d401c5f58cbac09181ca9add8f9bb3517

F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\DDDDDDDDDDD

MD5 d953149cebe7b051c1dae623b8db160e
SHA1 e6708fed7fbd56dcfb90d639332ed80ee7706b94
SHA256 16b6b8dc20f795bef8ccee48ab24685cb69bb2ed2467d89ad7dca2681ffef1c8
SHA512 be7f8a24f99f283fc3256558302c1efcdd2897d9addf36001b658d3b4edf74c453d751ce99a019b9fb62e88f4600bf1e17fdccb9ebcdd8aea9daca86a418fb51

C:\2zAdN8qob.README.txt

MD5 5ddb821b9f16c355689466bbf403c709
SHA1 0af9cd9d9dbd3745f0dcd64f07aac19c749884a7
SHA256 c3a9f3fd8c57ecc6361b705409279b96b228de99ef056e0dc9b51819746bc8d6
SHA512 1da4c9268eba6a19fc136e5d3feb670a8c213f9382c5a202ed4af894da0e2d60e8540aec2785de93428046a39bf6128df36ff8cab8dca30fae693d4beab44c1a

\ProgramData\61BF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/768-837-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/768-838-0x0000000000250000-0x0000000000290000-memory.dmp

memory/768-839-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/768-840-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 76f22172160f0960caa3fe841a3183aa
SHA1 c730070e40110c58af0453194327c6712740f1b7
SHA256 84f040d08fbe8ec75899bf49f980d295767fa606b59bfbde2b4a1217b8db6c41
SHA512 60539e8252042b4c1e5823e1a71c3124a0f6b39c5d6c582ef2a5d712d9117a699ed1f264205d72468622963ccab3a8a8c4b99d10fca0c7017762267eac512240

memory/768-870-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/768-869-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 01:47

Reported

2024-02-23 01:49

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"

Signatures

Renames multiple (591) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation C:\ProgramData\6AFF.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6AFF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6AFF.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-910440534-423636034-2318342392-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-910440534-423636034-2318342392-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP4i0qhaodf44mp_6kg08pmny8d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPp7idgxvxvwe76gnn6te9mkssc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPg04wjpqh20xhhm5jql24ds_l.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\2zAdN8qob.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\2zAdN8qob.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\6AFF.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob\DefaultIcon\ = "C:\\ProgramData\\2zAdN8qob.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.2zAdN8qob C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.2zAdN8qob\ = "2zAdN8qob" C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\2zAdN8qob C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe C:\Windows\splwow64.exe
PID 4564 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe C:\Windows\splwow64.exe
PID 4044 wrote to memory of 2296 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4044 wrote to memory of 2296 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4564 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe C:\ProgramData\6AFF.tmp
PID 4564 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe C:\ProgramData\6AFF.tmp
PID 4564 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe C:\ProgramData\6AFF.tmp
PID 4564 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe C:\ProgramData\6AFF.tmp
PID 3980 wrote to memory of 2284 N/A C:\ProgramData\6AFF.tmp C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 2284 N/A C:\ProgramData\6AFF.tmp C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 2284 N/A C:\ProgramData\6AFF.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_951a7673b6ad24bfcbf086db0873c7f4_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{31A1726B-85C5-4562-A952-98E6F1268C64}.xps" 133531264470240000

C:\ProgramData\6AFF.tmp

"C:\ProgramData\6AFF.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6AFF.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4564-0-0x0000000003010000-0x0000000003020000-memory.dmp

memory/4564-1-0x0000000003010000-0x0000000003020000-memory.dmp

memory/4564-2-0x0000000003010000-0x0000000003020000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-910440534-423636034-2318342392-1000\desktop.ini

MD5 1d93c7b775cca424d83363f4e33ed4a2
SHA1 ab854dec701a556943ad4bac272696aa7810c1c9
SHA256 5b3bf8188a69d651e5d5b46f6020f1685658804a9ad654eb642bfa89e6bba5a1
SHA512 ab561127a7081ca4bebc4d6618844236267f6b653435d67a27d92a5589abce75e649132e01802f347a0ccf7b024868c9d1bd53bc9c19de4cc05269f8a21a0593

F:\$RECYCLE.BIN\S-1-5-21-910440534-423636034-2318342392-1000\EEEEEEEEEEE

MD5 ac748e1a7d9ce0a4fb62f7169f30fab9
SHA1 dd9fa8b71faa5aa39c2aef6636820ef78edf7856
SHA256 992ab1584937363537a1db4b773b681440ce5a0cb6e0d3f93693ca825e514ab0
SHA512 3a6d29db622180a2903e3bfc77c922cb7982080e93a4cdfb734cbba144df83e7d4ef80662069fecc29de426eeec0663b1ff564fc5ded426927e6d897c4f33878

C:\2zAdN8qob.README.txt

MD5 209661f56bdc47efd6745e3a5568c917
SHA1 a1932b425be0f4bcb2966cda601d38f7a56e6249
SHA256 70041a51d082cff43cf632817ff61521f96aaea5d13746098df42e5cd9927d23
SHA512 6c1b448931f6b1321a9e81c945f8d112cd1333e9b6fd4af322e83146b21ba6dc0a90b62e59c55afded3d64aae66d3699201f53c34712be0f9cc7e8ec17ce2ea9

C:\ProgramData\6AFF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2296-2862-0x00007FFA69290000-0x00007FFA692A0000-memory.dmp

memory/2296-2864-0x00007FFA69290000-0x00007FFA692A0000-memory.dmp

memory/2296-2863-0x00007FFA69290000-0x00007FFA692A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 db4579e1e6682e1213cc429793cf0ebf
SHA1 825110c6828ae4df5b6c0efc898149188565611e
SHA256 0f593dea95eadff843e5a2415fbdee83508084f2c5e79096a8b2164703a51448
SHA512 8e4a88f2964fccac65cbb0a738fcbd1d20b884e2db269087e12564360928cecda01ed3524f526d73039e6206f4ab4cec6deebe04e12cd14c308074a391416454

memory/2296-2894-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2895-0x00007FFA69290000-0x00007FFA692A0000-memory.dmp

memory/2296-2896-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2865-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2897-0x00007FFA69290000-0x00007FFA692A0000-memory.dmp

memory/2296-2898-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2899-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2900-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2901-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2903-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2902-0x00007FFA67070000-0x00007FFA67080000-memory.dmp

memory/2296-2904-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2906-0x00007FFA67070000-0x00007FFA67080000-memory.dmp

memory/2296-2907-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2905-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2908-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2909-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2910-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2911-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 a889b3699195d6769645d506caabe0ff
SHA1 1c6fb4505160dfbe220bf9cb1e3e57e138a5f25c
SHA256 1af33abb8c5a2e3a7f5f19c0e68790a5ed14985f647a49355722d600b875deae
SHA512 5e278b8aa781fdf83f046715589af9d38a8d146d03be2b37ecb2b6ce044b15a42aeb6b44a5c9964f88fa68cbed50f969b3866bfc8c73b4652b0d33a9bce7fe57

memory/2296-2929-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp

memory/2296-2930-0x00007FFAA9210000-0x00007FFAA9405000-memory.dmp