Malware Analysis Report

2024-11-30 11:29

Sample ID 240301-cvcbgsae9y
Target 2024-03-01_07f530499140ce0eea92b24173852074_darkside
SHA256 aa5619de3835dbc69875d854923c2d9ba635086f2d5ee7bcbd39f3feaa76b7bb
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa5619de3835dbc69875d854923c2d9ba635086f2d5ee7bcbd39f3feaa76b7bb

Threat Level: Known bad

The file 2024-03-01_07f530499140ce0eea92b24173852074_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (606) files with added filename extension

Renames multiple (356) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Deletes itself

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 02:23

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 02:23

Reported

2024-03-01 02:25

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (356) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\47BA.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\47BA.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\qAHglxJFR.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\qAHglxJFR.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\47BA.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qAHglxJFR C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qAHglxJFR\ = "qAHglxJFR" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qAHglxJFR\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qAHglxJFR C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qAHglxJFR\DefaultIcon\ = "C:\\ProgramData\\qAHglxJFR.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe"

C:\ProgramData\47BA.tmp

"C:\ProgramData\47BA.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\47BA.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2236-0-0x00000000022A0000-0x00000000022E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 b3d8a1a97e9fd7b42e7c6a9a7594f1b1
SHA1 8aeb0f4a6397df515dece2ddc834277a47bfc53d
SHA256 fcfc9ec5c64dff7d2139a06eddef1e694dfb9fd07866874a687bfafc301661df
SHA512 e4df56571867f57a5ecb9ef0aa65b851a1d03d3fba1ddadfaca7ea7ee724158187f60dd0a7c9122e6d6456bfbd6a0690bac41cf4e93b24b9cef9634e19531aa1

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

MD5 52f49a71c5348e1cab67aee66293f45c
SHA1 1859ef4f3e9a87e1f9ca088d08277248682472af
SHA256 76afbd1b6d5b28187ca47d57db0e077493d858a28ae43f5fe70198c00ba36437
SHA512 1a3017f864f63965523548b55321aa920ab444feb0d36d210d769a413350ffabaac5b109d69ba3c79564c8da2460bbe92cab919a9a2042a20f591c3a0df0d80e

C:\qAHglxJFR.README.txt

MD5 1d0ac15095a25397eaea3b395e67adbb
SHA1 7e7f714842c989acddaaeaee80d6f9ea9e75234d
SHA256 e92cb600f39d5f794137cc59b55b31010dcd86369571374eb884d35614262d89
SHA512 357e4cf79b632c64e6c0a474f7d8fb1a5dcc0d0c260efaf6556dce60348a6d4fe4a8a263174b705a087a4cd2c111a7232c965bd4a2e6d16ded77af949b62f48c

\ProgramData\47BA.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2824-882-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2824-884-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/2824-887-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2824-889-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 4514ea01aa11ba1e7e9dff23c7ab5f47
SHA1 4c42fcd14185fc473786ca28d0e86cb2e6931746
SHA256 b68ffc971498a753d5ca0fcf15880b148b4f422c52503c203d09b45382334098
SHA512 4e429e4472c281b5d286dbf98b39ca02a3fb83070a04844c9139169e27db1a07618d9b31418642deccadbd72235bdddb9768f84391996d1f588fec48e0543fd7

memory/2824-915-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2824-914-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-01 02:23

Reported

2024-03-01 02:25

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (606) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\ProgramData\66D9.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\66D9.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\66D9.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP7gh5hw0ui55a0ki43mz7qgwab.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP64gpti5j6f0fb_3sda78y8c_.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP9o22v0w41hcry18erb3q9ayrc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\qAHglxJFR.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\qAHglxJFR.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\66D9.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qAHglxJFR C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qAHglxJFR\ = "qAHglxJFR" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qAHglxJFR\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qAHglxJFR C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qAHglxJFR\DefaultIcon\ = "C:\\ProgramData\\qAHglxJFR.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe C:\Windows\splwow64.exe
PID 1276 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe C:\Windows\splwow64.exe
PID 2496 wrote to memory of 3972 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2496 wrote to memory of 3972 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe C:\ProgramData\66D9.tmp
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe C:\ProgramData\66D9.tmp
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe C:\ProgramData\66D9.tmp
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe C:\ProgramData\66D9.tmp
PID 4396 wrote to memory of 5016 N/A C:\ProgramData\66D9.tmp C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5016 N/A C:\ProgramData\66D9.tmp C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 5016 N/A C:\ProgramData\66D9.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-01_07f530499140ce0eea92b24173852074_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{960E409D-072B-44BE-9B88-E10B1DAC6530}.xps" 133537334158870000

C:\ProgramData\66D9.tmp

"C:\ProgramData\66D9.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\66D9.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 25.63.96.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/1276-0-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/1276-1-0x0000000002B30000-0x0000000002B40000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\AAAAAAAAAAA

MD5 3de8052f6ba0f917d8bbfddd898ab03b
SHA1 5039b6c048cc63405d22c2178f0b0c44715dbbe2
SHA256 ff34698995b8ddb7548fac72adfa6c951f361adba6bab28a45aa2fda9e0b4ff7
SHA512 a145dee5be7ed6fc87b7a238c0ef1c19d78ffc463693cc9306bca2bfe38937521cc96a2673faa7deeaf64f34d3359065db77bf1969b08de543650629825c2c44

F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\DDDDDDDDDDD

MD5 f13540a370454cbc72d6ad3ebf9254d4
SHA1 5f09e0e8d29cfe510d09b599d5feb1a3908b20e5
SHA256 c770ad18aec90f4d4847a18e462d09ec9dce3bc445ba9f020457225fa5f838d0
SHA512 14875138de3e4212d88609b831c75ede4d1394a5e6aed97ac77a3a9cf81d47a37a45e9feac88f28ebe08a6bc3d1b74e1450b6619d7583eeffa194f00b97df795

C:\qAHglxJFR.README.txt

MD5 18d356b6756476600005d182c2f66197
SHA1 b09a8a2633c273a115ae661083f75182f8520f10
SHA256 1f40b9fe0155c2e8a8ab241f23ee8d4385f491b8aa3578ab71bac22338accfa8
SHA512 a321e130a0e5ac4c230a0e989a785c16a2bc5b88eda91a9632ac0ed36bd7b58bf6fa677ced19af4eae8a9f7ca67876df4467efa4eb2d17d666734c6eee131ba9

memory/3972-2772-0x00007FFD33590000-0x00007FFD335A0000-memory.dmp

memory/3972-2774-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2776-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2775-0x00007FFD33590000-0x00007FFD335A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 85af2cb56d6a088e5c768cad1df60d8f
SHA1 1b0209cd9c83f08df2aef33b05684ce1275d2891
SHA256 472d0d4199872a1a94f26b074b843504a3349d4197c0ff593a807c6a6012949c
SHA512 e0604e78c8f32bad900c640d7dca2c7138cee6e39d529dcbe50851d64f479ee19bbb30f607c6759532c29f6e97fdff6bdd1939fa4ee2789519a0f863033adbed

memory/3972-2780-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2810-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2809-0x00007FFD33590000-0x00007FFD335A0000-memory.dmp

C:\ProgramData\66D9.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3972-2778-0x00007FFD33590000-0x00007FFD335A0000-memory.dmp

memory/3972-2812-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2811-0x00007FFD33590000-0x00007FFD335A0000-memory.dmp

memory/3972-2813-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2814-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2815-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2816-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2817-0x00007FFD30D30000-0x00007FFD30D40000-memory.dmp

memory/3972-2818-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2819-0x00007FFD30D30000-0x00007FFD30D40000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 bb33e0eae3aa0bfe9f879a44326cfd5a
SHA1 42424088dfb08956f2e736f6dfd778bfc84f479e
SHA256 edeb5d980ff185b5251166ef9de0066ed344edc2e6bd62daea29daeb8636ba7b
SHA512 185629a7167dec57c05cd991b9da44630b900486d03b463ec75b3e9af4e9b5b4f8780c5730081fb65a52c38a15f002b007328a909ad653aa2dd2aee9ea83b3c9

memory/3972-2838-0x00007FFD73510000-0x00007FFD73705000-memory.dmp

memory/3972-2839-0x00007FFD73510000-0x00007FFD73705000-memory.dmp