Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 22:38
Behavioral task
behavioral1
Sample
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe
-
Size
153KB
-
MD5
fc574bb43fdd40afb914909e27b0c02b
-
SHA1
b7ad2ef359b343e73f0399a2bd9b15fe9e7b58f2
-
SHA256
1f2d57fd92961d57a1a7b09c7bbddfdc95b2246f1f6874d6aa52aedd77d5cfa8
-
SHA512
16cfcd67e871773a9073f32050e3f7da749284d6218027b405f0f9bdfb8d7e2f1ffb644825cf00a5e3da00aab54a301e23c30569c8e1259f315ea1221b565154
-
SSDEEP
3072:FqJogYkcSNm9V7DEA72bjSwMZNdmhCySRYT:Fq2kc4m9tDYbjLMZN4hC
Malware Config
Extracted
C:\cmAOMbVXo.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (568) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7A61.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 7A61.tmp -
Deletes itself 1 IoCs
Processes:
7A61.tmppid process 1924 7A61.tmp -
Executes dropped EXE 1 IoCs
Processes:
7A61.tmppid process 1924 7A61.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP2y3qq7vl2ztjyrygucglktvo.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPdzdiyeb0n0ao638gvww1wd5hc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPpa9wel18hwjpml3hu9dgxoxob.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cmAOMbVXo.bmp" 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cmAOMbVXo.bmp" 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7A61.tmppid process 1924 7A61.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cmAOMbVXo\ = "cmAOMbVXo" 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmAOMbVXo\DefaultIcon 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cmAOMbVXo 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmAOMbVXo\DefaultIcon\ = "C:\\ProgramData\\cmAOMbVXo.ico" 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cmAOMbVXo 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exepid process 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
7A61.tmppid process 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp 1924 7A61.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeDebugPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: 36 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeImpersonatePrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeIncBasePriorityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeIncreaseQuotaPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: 33 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeManageVolumePrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeProfSingleProcessPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeRestorePrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSystemProfilePrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeTakeOwnershipPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeShutdownPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeDebugPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeBackupPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe Token: SeSecurityPrivilege 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE 2240 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exeprintfilterpipelinesvc.exe7A61.tmpdescription pid process target process PID 1684 wrote to memory of 2600 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe splwow64.exe PID 1684 wrote to memory of 2600 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe splwow64.exe PID 4364 wrote to memory of 2240 4364 printfilterpipelinesvc.exe ONENOTE.EXE PID 4364 wrote to memory of 2240 4364 printfilterpipelinesvc.exe ONENOTE.EXE PID 1684 wrote to memory of 1924 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 7A61.tmp PID 1684 wrote to memory of 1924 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 7A61.tmp PID 1684 wrote to memory of 1924 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 7A61.tmp PID 1684 wrote to memory of 1924 1684 2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe 7A61.tmp PID 1924 wrote to memory of 1756 1924 7A61.tmp cmd.exe PID 1924 wrote to memory of 1756 1924 7A61.tmp cmd.exe PID 1924 wrote to memory of 1756 1924 7A61.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-11_fc574bb43fdd40afb914909e27b0c02b_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2600
-
-
C:\ProgramData\7A61.tmp"C:\ProgramData\7A61.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7A61.tmp >> NUL3⤵PID:1756
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3328
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8C4AC857-189C-49AE-8BF6-C4170DCC6DE3}.xps" 1335467030781200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5fb7f3cfd04f676a3bca8d1d12f11b67c
SHA1c3533d132f5fb5873d97e4d57c06562dce4bb792
SHA256e7371de676d075b9035a33e12a3c7994aabef7762bf6ccab8135e71168519a10
SHA512c4cef4e3bf8b3190375f5a62e7264b47aa7fee6561fa6660775bab9730e1c067048a3f562d9c1c21149167b40c5bbc00d5f84fdde93eb7657bf6af189a420557
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
153KB
MD541bc386e1aa0c4484e8e11b7b151f726
SHA156fb744d6eaf062226a6d045ba7a3dc9b6d67247
SHA2564a8423c1b2686ca993a2fea8d4c8c1554b7e25f6375993f4d234ef0cbccb70f0
SHA512b65a2733189f363d6166f5de94aff1794959176bb599ea88ca2d4fa0af0344d1b57291b74bf6357c9fbb4653e2a347905e41595f00e1c53bc93169da1aa5f333
-
Filesize
4KB
MD543d5a358a49e9f7130748f162e83e778
SHA133a2f0ead0d1ba2ff3a29e0b1808dba795261783
SHA256244af809ce3266590497aed47714fc6fa6705a88f0a9f64e721c6cdadc2d148f
SHA512edd110ebb19314f337029f88379b05f25153bc5c7c76753210fac352dfedab533c10f7b98d3e1796eed3304a43bb4071d3df513ad32307a2264d77811e0a7fbd
-
Filesize
6KB
MD59225067cf1a1ba21d17ea26e0605822e
SHA14dadb8d5e70bb35e7329a12d5a1813239c409b5b
SHA2568cdb459d87876149b635048802fb56bb7e1d564da4928707e19a22ef24aa3fe1
SHA512101f75b6d9ed2c53e0f21f3808a5aa5e79d8561ad55239c2f660a2835bcb8ed0a25958ec520c0398bbcc800d92f2e4f774a8d1de182049c7f3ff48193711e3fa
-
Filesize
129B
MD57005959c5d50a7310a24b57f2f050bf7
SHA1c7a70994f70d6e7d7ab4024e68c794efbb6df21a
SHA2560a56bbbfe69736148c8c16763cb55ab267bef809219cd69838bf994327b2824c
SHA5125a00197014e615e968592d4eacc6b1340ca047ad98f730b2986be15b1f89e2b1ef16accb562bfe55b505723bda11c51d3e09d570e1a45491556eea2699444ce2