Malware Analysis Report

2024-11-30 11:31

Sample ID 240224-bwhdfsdg85
Target 2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside
SHA256 c431cd8702361f700751745a64802a177c8db6bf58d5a428948cdc7bd0def7e7
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c431cd8702361f700751745a64802a177c8db6bf58d5a428948cdc7bd0def7e7

Threat Level: Known bad

The file 2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (304) files with added filename extension

Renames multiple (589) files with added filename extension

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Modifies Control Panel

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 01:29

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 01:29

Reported

2024-02-24 01:32

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (304) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\7031.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7031.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\siyQ9kPmf.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\siyQ9kPmf.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\7031.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.siyQ9kPmf C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.siyQ9kPmf\ = "siyQ9kPmf" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\siyQ9kPmf\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\siyQ9kPmf C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\siyQ9kPmf\DefaultIcon\ = "C:\\ProgramData\\siyQ9kPmf.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe"

C:\ProgramData\7031.tmp

"C:\ProgramData\7031.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7031.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2108-0-0x00000000000F0000-0x0000000000130000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini

MD5 56bb36ed64d5216ca4ee0ddbdca0a0ed
SHA1 bf07f61d56c9148c55b098fdf4a494b646e6e0a5
SHA256 f52b8c6f31b55d708325ac03827dbf6439b900eb4ec7990cb28fd4ca6c761e1b
SHA512 41a02d7973ad9c1d193fdee64cb6e430e854062877d94dabd32157a63bd9ffbfdfaa915fb613a075f47969ca86812d0987227959aec10088376802d9178c3543

C:\siyQ9kPmf.README.txt

MD5 dd746ace17e44ace00885b91400f11d5
SHA1 4a0302d2dca400598f396e4230fdae71779cbeaa
SHA256 b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA512 8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\OOOOOOOOOOO

MD5 ac4c5728f2a3146fba84044664f05fdb
SHA1 951c7f92bd13497ad3aed3e98ba660a2209af93c
SHA256 23649aaf48182d3dec80b9373e3f3d15631a1f9ddc8f45445ccb97253c88aa2c
SHA512 3be593bc26bda2456dba2d3873e0e054520d5b0784b4419042dfa8f50689ac24801393969b56c2b7faf1759c289ca9d0071699d18aa290bd70b68b2c4b1665ce

\ProgramData\7031.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/560-822-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/560-830-0x0000000001FF0000-0x0000000002030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

MD5 0b2b2aaddf3defd6f641c56594091c10
SHA1 c7eaef45da8753d351cbf6bf9dd8307f1428f5b9
SHA256 2a889831e2c039c4e8fa125e732304a005d5752d1d6f33ce1cf5699b60a0ddd0
SHA512 98c4613605b3ef17fb6e7f8315ff7d85ffbe0784e52e2f8a6f1a68fa10ec061efe8bdfa7a81c746f9f90c2cb0c3bb2c2a5e863c5425d7f41dc7282f331837f1f

memory/560-838-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/560-840-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/560-854-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/560-855-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 01:29

Reported

2024-02-24 01:32

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (589) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\ProgramData\1A79.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\1A79.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\1A79.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2200714112-3788720386-2559682836-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2200714112-3788720386-2559682836-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPzn6rxv1jznll0zk1at9jxtpk.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPmr5s9yxmcz6co08dmjmjqbfnc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPcqibqbnvvobugw13g8othvpq.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\siyQ9kPmf.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\siyQ9kPmf.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\1A79.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.siyQ9kPmf C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.siyQ9kPmf\ = "siyQ9kPmf" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\siyQ9kPmf\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\siyQ9kPmf C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\siyQ9kPmf\DefaultIcon\ = "C:\\ProgramData\\siyQ9kPmf.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe C:\Windows\splwow64.exe
PID 4152 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe C:\Windows\splwow64.exe
PID 4576 wrote to memory of 1948 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4576 wrote to memory of 1948 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4152 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe C:\ProgramData\1A79.tmp
PID 4152 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe C:\ProgramData\1A79.tmp
PID 4152 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe C:\ProgramData\1A79.tmp
PID 4152 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe C:\ProgramData\1A79.tmp
PID 4428 wrote to memory of 5024 N/A C:\ProgramData\1A79.tmp C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 5024 N/A C:\ProgramData\1A79.tmp C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 5024 N/A C:\ProgramData\1A79.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_1cba9ed2d67d8aaba4b55946ebc2de9f_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{17657304-64DE-4D60-A702-C6812E796C56}.xps" 133532118063760000

C:\ProgramData\1A79.tmp

"C:\ProgramData\1A79.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1A79.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/4152-0-0x0000000003220000-0x0000000003230000-memory.dmp

memory/4152-1-0x0000000003220000-0x0000000003230000-memory.dmp

memory/4152-2-0x0000000003220000-0x0000000003230000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2200714112-3788720386-2559682836-1000\AAAAAAAAAAA

MD5 178c75e15620f6a7fb215b7e81f6866e
SHA1 0222d9f1adafea41a94da853a67467de425aea7c
SHA256 f6a9b98f4c6f91b63e180c7fddf05ea4bf6a990fd5ad0c0e9c3bd28f0507b2b8
SHA512 350e573491da0a9efc34a5d9b242610124fc0de0dbab344e835c94565abb02f89b553bd7b94f7c85ffde1bc226a3c706459017f9edb06d85a4815a1dae38ed45

F:\$RECYCLE.BIN\S-1-5-21-2200714112-3788720386-2559682836-1000\EEEEEEEEEEE

MD5 27903fdb532df5ad57e4270c4ee0f2eb
SHA1 e34a0afc16f0d93711c3b3a9175e84b01b1dccde
SHA256 76abc0468e8ac1120d9d51b81319f840d7403f7e08300befe55b510f20dd75b9
SHA512 733c3bb6e3ffab7b0fbe808be5a476cd441f18aa0924bebae83ac4ea279826324c041aa6302e4b96d2339de9bcee988830df6a8d5bba959df7de31d277f31762

C:\siyQ9kPmf.README.txt

MD5 dd746ace17e44ace00885b91400f11d5
SHA1 4a0302d2dca400598f396e4230fdae71779cbeaa
SHA256 b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA512 8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

memory/4152-2726-0x0000000003220000-0x0000000003230000-memory.dmp

memory/4152-2727-0x0000000003220000-0x0000000003230000-memory.dmp

memory/4152-2728-0x0000000003220000-0x0000000003230000-memory.dmp

C:\ProgramData\1A79.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1948-2744-0x00007FFE41F50000-0x00007FFE41F60000-memory.dmp

memory/1948-2746-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2748-0x00007FFE41F50000-0x00007FFE41F60000-memory.dmp

memory/1948-2747-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2749-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2779-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2755-0x00007FFE41F50000-0x00007FFE41F60000-memory.dmp

memory/1948-2781-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2782-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2780-0x00007FFE41F50000-0x00007FFE41F60000-memory.dmp

memory/1948-2783-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2784-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 43b2627a01b6832c0a54d6c044622372
SHA1 2f6ff814647507cfd509de053db4f774fca08807
SHA256 758b63c3e17063fe70775f44c675a044688f6ff0927298a4573165a1e30473eb
SHA512 6f8ef29206693b9aeb3c309b7b98e958d3ecbac34a4ec582dfc907fc5e1859fd4e97a5e66dcdc996a633a7e0702336298231ea6a2f8e7e576a661e4859f51cde

memory/1948-2745-0x00007FFE41F50000-0x00007FFE41F60000-memory.dmp

memory/1948-2785-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2786-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2789-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2788-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2791-0x00007FFE3F940000-0x00007FFE3F950000-memory.dmp

memory/1948-2792-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2790-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2787-0x00007FFE3F940000-0x00007FFE3F950000-memory.dmp

memory/1948-2793-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2794-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2795-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{2F5F1E32-8824-4A87-B854-FE683E655D3D}

MD5 9866f2d2ebd7e5b8b724ff43a065d0b2
SHA1 52cf17507690fdc0ff2c897beca3bfa583fd7988
SHA256 6ca9b0f47e0d58e034c44b8b8322aebc82d00602f0f2eafe0e85ce9e8cdc43de
SHA512 32ca7a7014ef5de9dd212f0c79b24a0bde45b07ee10b1e4ef12004ed1b816c7d790fd23985c032870f7a5c08f0312d3598475605eda5c84b230dc82f6e32a92d

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 4d1c5e34411bd5c6e6d49b425723d281
SHA1 a7391ca8d5521079360b855872c4d993defa030e
SHA256 7f1a05141750732af4d3a4989d5887e2f8f115c414b48fe41cdf8d93aa596534
SHA512 27409f6e1359eb6a98c5e3c35440cb2a51f4e6f3a828039247184d58f9ef05effbbf298c14ff9872728d164e20bbc16daa4f39ce0149f682f39d8aeb244db975

memory/1948-2814-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2815-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp

memory/1948-2816-0x00007FFE81ED0000-0x00007FFE820C5000-memory.dmp