Analysis
-
max time kernel
139s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-03-2024 19:21
Behavioral task
behavioral1
Sample
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe
-
Size
156KB
-
MD5
0878876cddf35120735b78b595026fd4
-
SHA1
6d1a48b1f6ad210570c44392654870152b493efd
-
SHA256
2038b782c400aa80ebf5089ac0138b7c811e43d39b6642a7ca065fc59dde054c
-
SHA512
69d8c1976533cd7e1d1e9f7de019959770deb17e28d831c4be42e623ab3ff10e924dd29b19d3028eea2ea581ed161eb574d49f81c41a167d18c6486adfa1821b
-
SSDEEP
3072:2DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368CmFx8WGWWqM2n5ggVGv5W:Q5d/zugZqll3t1nek
Malware Config
Extracted
C:\Users\irpHHEyS0.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
Signatures
-
Renames multiple (7609) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
ADBD.tmppid process 540 ADBD.tmp -
Executes dropped EXE 1 IoCs
Processes:
ADBD.tmppid process 540 ADBD.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exepid process 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\irpHHEyS0.bmp" 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\irpHHEyS0.bmp" 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exeADBD.tmppid process 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\CHICAGO.XSL 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING1.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\irpHHEyS0.README.txt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02426_.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\en-US\Sidebar.exe.mui 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_fr.dub.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099164.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Comments.accdt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10302_.GIF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18256_.WMF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232171.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00242_.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\WMPDMC.exe.mui 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Adak.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15274_.GIF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.ELM 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\irpHHEyS0.README.txt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\irpHHEyS0.README.txt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\irpHHEyS0.README.txt 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14882_.GIF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Modifies Control Panel 2 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\irpHHEyS0\DefaultIcon\ = "C:\\ProgramData\\irpHHEyS0.ico" 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.irpHHEyS0 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.irpHHEyS0\ = "irpHHEyS0" 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\irpHHEyS0\DefaultIcon 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exepid process 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
ADBD.tmppid process 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp 540 ADBD.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeDebugPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: 36 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeImpersonatePrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeIncBasePriorityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeIncreaseQuotaPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: 33 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeManageVolumePrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeProfSingleProcessPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeRestorePrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSystemProfilePrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeTakeOwnershipPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeShutdownPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeDebugPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 908 vssvc.exe Token: SeRestorePrivilege 908 vssvc.exe Token: SeAuditPrivilege 908 vssvc.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeSecurityPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe Token: SeBackupPrivilege 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exedescription pid process target process PID 2456 wrote to memory of 540 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe ADBD.tmp PID 2456 wrote to memory of 540 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe ADBD.tmp PID 2456 wrote to memory of 540 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe ADBD.tmp PID 2456 wrote to memory of 540 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe ADBD.tmp PID 2456 wrote to memory of 540 2456 2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe ADBD.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\ProgramData\ADBD.tmp"C:\ProgramData\ADBD.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:540
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD59eae36e218700600dd3f40333a87fe80
SHA18fe10c8ef1cff5d6ccb9d96a5dc65af87e58f96e
SHA2562958d2187768ce8eee4248f998096ad7576076b1af3bca1ade4963b916df1691
SHA5125c9d8ccb46fc63b72b9a002bebfe12335c3446128cd379e8a5e242d8095b3b5b8fab87e3b5426272047b287bccc7f56d559cceb05f5afee0eecf1df885104c71
-
Filesize
28KB
MD54b59e824a2e060ca8f067a74ea5bef4c
SHA1e7bdf4b434973c7f83d903b2588d65d3a22dfe96
SHA256db7b38b6230885b462f6eed8aadf9c0cea332e66f7b5d4a28cd7a4329130daa6
SHA51255bc6a5c30a97fc86f27da4321c1b6ac6ab61ba1023b7be81cc4e16f7b2fbed84861e1cea3658098321c432b7d3358e9828ea0eb929def5b6cfb30b9d9934524
-
Filesize
3KB
MD52b1c45a3d04bb8f9388165562a1b3bd7
SHA1745aa08f7fb10e67868db8fe5dea89a237a91a87
SHA25603d0a1852f40bda9dd3a4f6cfe635544f4559965d2c2be0234696a5900b3b451
SHA5128cc8fef1527a761416da658e99da5167e59bda30c47a6a1b2c14478d6615309b3536d193c4021d19a93444ba231a432dcdf8074010275494b070f8e89995f9cb
-
Filesize
129B
MD5f2949c673b5d5e409b6f6700d0815828
SHA1e7868d8de0a035c32fc2f51d2d29a718c7c0d6da
SHA2569e92effeb0a1795d15b96d8aa07120110fb74c8f5c9ce1cad12bf570862a2bb3
SHA5123bd7d3022efda0eeb79c07bedc4950b8bd2f2540f6fbb86ea77f773de5d10642e10546ca6186fe9419ca77e2a32c3fde534f7609326d6eddbf4b1eedea124205
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf