Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 21:35
Behavioral task
behavioral1
Sample
2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
-
Size
148KB
-
MD5
90b13c5448b62ddb92a1d0f8262ed7b7
-
SHA1
0b27b077d437da27091dd626e5958f0674e86a1c
-
SHA256
2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299
-
SHA512
bf16a6106f2afebb094949fb64dcd25832e02284d5ee06634254910336489a502947c8bc0629abcadb13d7cddcead28d2cbc1a470ab53e6d51671f2e67d81ffd
-
SSDEEP
3072:06glyuxE4GsUPnliByocWepEjCwDS6bo2VY9:06gDBGpvEByocWeCeS1Y9
Score
10/10
Malware Config
Extracted
Path
C:\mstH2C7Dr.README.txt
Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~
>>>> What happened?
Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom.
>>>> What guarantees that we will not deceive you?
We are not a politically motivated group and we don't need anything other than your money.
If you pay, we will provide you with the decryption programs and delete your data.
Life is too short to be sad. Don't be sad, money is just paper.
If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future.
This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment.
You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live
>>>> How to pay to get the decryptor?
You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software.
Your personal decryption id: A79A3EC67EEF60C0D7BC3290AE8D7104
Our Bitcoin payment address: bc1qlj7ep820lmg48tvh7mahwjd5y4d4tx4nqactsp
The amount to pay: 200.00$
Our contact email address: [email protected]
>>>> Why Bitcoin?
As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity.
Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous.
>>>> How to buy bitcoin?
To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken.
Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency.
Familiarize yourself with the process of verifying and securing a digital wallet.
>>>> Information?
Attention ! Do not delete or modify any files, this may cause recovery problems!
Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
Emails
URLs
https://twitter.com/hashtag/lockbit?f=live
Signatures
-
Renames multiple (602) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation FCA6.tmp -
Deletes itself 1 IoCs
pid Process 2136 FCA6.tmp -
Executes dropped EXE 1 IoCs
pid Process 2136 FCA6.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mstH2C7Dr.bmp" 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mstH2C7Dr.bmp" 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2136 FCA6.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr\ = "mstH2C7Dr" 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon\ = "C:\\ProgramData\\mstH2C7Dr.ico" 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp 2136 FCA6.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeDebugPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: 36 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeImpersonatePrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeIncBasePriorityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeIncreaseQuotaPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: 33 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeManageVolumePrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeProfSingleProcessPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeRestorePrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSystemProfilePrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeTakeOwnershipPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeShutdownPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeDebugPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeBackupPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe Token: SeSecurityPrivilege 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2136 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 97 PID 2788 wrote to memory of 2136 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 97 PID 2788 wrote to memory of 2136 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 97 PID 2788 wrote to memory of 2136 2788 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe 97 PID 2136 wrote to memory of 1148 2136 FCA6.tmp 98 PID 2136 wrote to memory of 1148 2136 FCA6.tmp 98 PID 2136 wrote to memory of 1148 2136 FCA6.tmp 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\ProgramData\FCA6.tmp"C:\ProgramData\FCA6.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FCA6.tmp >> NUL3⤵PID:1148
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5423848a59ff75d9f7a11d1eff0e0742e
SHA1b3dff1c2083049c97ecd659fd3c069477d84a06e
SHA2569a667ae938a796c4183489575692ccfc0f1cae6590f6a93d830c2c82d8dcf381
SHA51238d890a3cca62381c890088f6064f644fa16db52e3efa7e24954c88c596f8e35a7309bceceaed9c7ae8aedde7fbd831df81f98278893baa632d834637435b270
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
148KB
MD553b44ac7e6958c91f433001680ee3b8f
SHA18ad86a429f14d7f004785fed090e82714c7d6501
SHA256c8803bf90bc92e64382ac9563a48501654622da5a8ef1a166df364fdea3d49ad
SHA5129a42c1d4d8c10a747341650a1247efee2f7ab1b173c2950b482f2f576c6514f2a40f40932230139c31f7a8830c25d02a9e86faac9f4e6e05b373867e6c55af1f
-
Filesize
2KB
MD5bda0fcec4c45719ebfbbe6f5f6f8d037
SHA1419725df268a8b1106c39d52d5ac99e1e7a3a14e
SHA256e12452787866b6d4f85aa45a2341aa562aea832d05fa9dc4e6b524ccc8ec1251
SHA5126ae3f2278052f9e376322112d8c1ebf8b458e95ff841a38c5a5c880aba41fc14b149ca9ab5ba71d60263504996dd414dd724046cca1bed29f0cf4db904223c08
-
Filesize
129B
MD5da62149dbd06a41dcd042480bbbf753e
SHA196ce6c0d762e42d4301a74114062052c4718e074
SHA2567a3e08216fd5e9ffdb93a2977d4d0939c6e9fb7fdc330148cc97ae4c347c4434
SHA51295449e928607fc5db983f0b1a228ff6f31b2de9687755a24b9808052a099cbeaa77e045529ff97c7fd1c7e416518e01d9d86c0833ea41ca1804003cdc679e618