Malware Analysis Report

2024-11-30 11:32

Sample ID 240226-mnkz6abd59
Target 2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside
SHA256 2e83048c7ed1193f09ae8d293b42c105662828f2ab56a2fa1f81379ee250fc46
Tags
lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e83048c7ed1193f09ae8d293b42c105662828f2ab56a2fa1f81379ee250fc46

Threat Level: Known bad

The file 2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 10:36

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 10:36

Reported

2024-02-26 10:39

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\B329.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\B329.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe"

C:\ProgramData\B329.tmp

"C:\ProgramData\B329.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B329.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/1728-0-0x0000000000490000-0x00000000004D0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

MD5 049f85ecc09085b246b4d97555128417
SHA1 0b6924e5d57f02673181721245730a8626201a44
SHA256 d32561302a2520155c986b575f3cfb2084498dc92c22fc839d66a425c36fde1f
SHA512 5f1cdba285385ce0485fd144e3b6ba5b217c81553146bcc637f4a7da2565b38b550892d9bdb70ad0b6cf6b858e8699c26c9dc54e55835dd12e7cd0dfd4881545

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

MD5 b45259f65b1abb1a47c8127a8380a2ff
SHA1 7d912fa169b989b4e33628dcf692a3a1e81d6bc3
SHA256 432932ff30215c288cf963c239f568aa989fa6733cf79adb8d5c9674eae40b59
SHA512 fbf1b3571204fce4488a2c07bda717f37fe2c08d2232d61a93ddd0ddcc157674d3c498a0a458262253c611ac817fb81602b8d51fabab76724ac0f5bd02e85f5d

C:\ProgramData\B329.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2740-108-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 2cfe5e0d472e866ac0a92b6993450fd2
SHA1 ce4eb67b6914b4b31ba2817ac28baec2b7154ec3
SHA256 63e46cd8fdc1f376b8498ad43eab69ffd0955368415ee4393499a2ec439ccfe3
SHA512 8f7069c45b5137cf3c8abe73f997fa73008d58e74b687bfe6443f5102b342b8c081cd2a52177b07968df09cf645fbe48d1035a9a19c57f95b5c779de58f379f9

memory/2740-110-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/2740-122-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2740-123-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2740-126-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2740-142-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2740-143-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2740-144-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 10:36

Reported

2024-02-26 10:39

Platform

win10v2004-20240221-en

Max time kernel

93s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation C:\ProgramData\4779.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\4779.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\4779.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_4e39dcfb9913e475f04927e71f38733a_darkside.exe"

C:\ProgramData\4779.tmp

"C:\ProgramData\4779.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4779.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3560-0-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/3560-1-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/3560-2-0x0000000002E50000-0x0000000002E60000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini

MD5 f806f3b58c418373348c6e9d1e83f87c
SHA1 3abd1f1708bee0d2284a15b204723d51f3991f0a
SHA256 d09cf79643f13c5840866b3abb092be8299c8ed6886a37d902cc5780b8f04d24
SHA512 40c4e09c3125e0337d1f9cd209ca0edc59b890b7c1ec25c58977dfd71fd09209342af9d724220175771d932ea1c093a9c358a73bab3428337b5234da52d1836f

F:\$RECYCLE.BIN\S-1-5-21-1392040655-2056082574-619088944-1000\DDDDDDDDDDD

MD5 90c984d98d9c7b6fa5b33610467d6cda
SHA1 c99f443e2896865c1e7d548564d11c334de311bf
SHA256 6b7daa8d777762241432236c318c145f7592b032290c31ad0884cd54f7385492
SHA512 02f1c786aa9ca47eadbb67a8e0d09d6bfd1a84fb6362d6bd2a374c91fd905262d9715f88643a5bbb7f632cd4f1cb8ba6d546f5923ed17022a83846c168d6ac5e

F:\tnif8b1Sa.README.txt

MD5 c3f1f1406b76280a20beab76871189bc
SHA1 b065841b3f5331712e6672ed22edc023393e667d
SHA256 85b163be93481e99e3bb328d1a69b200616bdb0afa297ee5f9ee1ae546bdda9a
SHA512 f7a64c57b19faa69d6825f74c175a50aa9da22e94e673d76429724a7ee5cfccdfe60f495b040ea2e97d8ab1ee26d898fd6ba7b6161425cce7d39c39fd57beb19

C:\ProgramData\4779.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 e0145bf828853c7ad1ad9eacf4b76a81
SHA1 28645f312430261a65b0f4de135ccfbea2250c33
SHA256 991320bd0a144dd65d16469b5a397155210b63db87adc1d82cd768322381a621
SHA512 7493e8ad7cb5aa35ea0816884ccc9cbfeae315def501209aab05febae3218cab16c75779ffa126a81cbf21638ff3823621b7ab9972d313ebc65dc90d6b425dd4

memory/3600-115-0x0000000002580000-0x0000000002590000-memory.dmp

memory/3600-139-0x0000000002580000-0x0000000002590000-memory.dmp

memory/3600-112-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3600-143-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3600-145-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/3600-144-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3600-146-0x000000007FE00000-0x000000007FE01000-memory.dmp