Malware Analysis Report

2024-11-15 07:21

Sample ID 240312-3j7lcsgb64
Target 2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside
SHA256 a056607887510431f2be95f0b05cc385b193da4efdd5c2bd13467101f81597b8
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a056607887510431f2be95f0b05cc385b193da4efdd5c2bd13467101f81597b8

Threat Level: Known bad

The file 2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (333) files with added filename extension

Renames multiple (614) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Control Panel

Enumerates system info in registry

Checks processor information in registry

Modifies registry class

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 23:33

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 23:33

Reported

2024-03-12 23:36

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (333) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2ECE.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2ECE.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6cVesywCa.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6cVesywCa.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\2ECE.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6cVesywCa C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.6cVesywCa\ = "6cVesywCa" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6cVesywCa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6cVesywCa C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\6cVesywCa\DefaultIcon\ = "C:\\ProgramData\\6cVesywCa.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe"

C:\ProgramData\2ECE.tmp

"C:\ProgramData\2ECE.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2ECE.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x148

Network

N/A

Files

memory/2952-0-0x00000000001D0000-0x0000000000210000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

MD5 fad1457dfab07818e52c9ac2707037f5
SHA1 4da68ec7997191091391b6023a03b358d3910ba8
SHA256 2617a23d7b154ba3dcdef8c8af478b38e25f4ad13227a4dd33999f84fe2a8d1f
SHA512 f388d7444a4c8e1678972a8662cf61001868e12454884b68fe1a472240fe849453db29c310c7e4fd7baf272d67ad907201e0144bea7cfde18682121f9d416681

F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

MD5 7b16c27df85e6e12afbedc9747908e4f
SHA1 094d4e39bbcb757c7233e25aba63eaebe2474a6c
SHA256 54d08aeb7b4f3781b45ffea96746b01f875df89b908dc199f8bc9c17ceb8e44f
SHA512 642671a8ce17115687436d494cb8318b562ec1ace5b6d3498962303634383819a8b6cebad59cd9f07cea4617bd29b4ed34f85122104976c955e200b62b09793b

C:\6cVesywCa.README.txt

MD5 dd746ace17e44ace00885b91400f11d5
SHA1 4a0302d2dca400598f396e4230fdae71779cbeaa
SHA256 b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA512 8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

\ProgramData\2ECE.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2004-859-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2004-861-0x0000000002140000-0x0000000002180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 d66aa3f7a3053a282a21ea467c0ed737
SHA1 0be8041eb78cb88c2280f95afc3b6817d0525441
SHA256 5569c8c04f0249580a4bf013c2e349fc1aeb421a70061e05f1dcbcd77147881c
SHA512 fc5716096e69714f433de58687012ea0513bff81fd4a24d0289dd51adcf7a8d9f18fa82cc0363b2a4cfc01d59b079bbc6babfecc3ffddf971ea7286872c8a899

memory/2004-866-0x0000000002140000-0x0000000002180000-memory.dmp

memory/2004-869-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2004-871-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2004-892-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2004-893-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 23:33

Reported

2024-03-12 23:36

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (614) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\3B99.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\3B99.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\3B99.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP7a5z5ecndad_5gm0z07f5hy1b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPdeu05a70_i0c601ummpm80sbd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPxkzv0kswx86pk68pnmw436aqb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6cVesywCa.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6cVesywCa.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\3B99.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6cVesywCa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\6cVesywCa C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\6cVesywCa\DefaultIcon\ = "C:\\ProgramData\\6cVesywCa.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.6cVesywCa C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.6cVesywCa\ = "6cVesywCa" C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe C:\Windows\splwow64.exe
PID 3356 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe C:\Windows\splwow64.exe
PID 3852 wrote to memory of 456 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3852 wrote to memory of 456 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3356 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe C:\ProgramData\3B99.tmp
PID 3356 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe C:\ProgramData\3B99.tmp
PID 3356 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe C:\ProgramData\3B99.tmp
PID 3356 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe C:\ProgramData\3B99.tmp
PID 3944 wrote to memory of 4624 N/A C:\ProgramData\3B99.tmp C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4624 N/A C:\ProgramData\3B99.tmp C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4624 N/A C:\ProgramData\3B99.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-12_825cef6d5ce0cdd0543e62e3a5a0da11_darkside.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{ADA75639-4A12-40BB-A231-3B84E5515BBF}.xps" 133547600935710000

C:\ProgramData\3B99.tmp

"C:\ProgramData\3B99.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3B99.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/3356-1-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/3356-0-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/3356-2-0x00000000026E0000-0x00000000026F0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini

MD5 8c9799b66feebb9c956bde240a85d99e
SHA1 fb30d8722e80cc6d721fbe2d49d27cc7699193bf
SHA256 1e19eec535caaa0f492801614528d8c984e9f01bd4bca4de484b30005862bb5b
SHA512 bed1636a7fcd2c732e84ec119b9dac100fcadf90dc32278c9705ea867bbf09e415b747476d7533cfa605b983701f695146918ef38fbfa8d8d3191b4712d17507

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD

MD5 80b6df9df25d7d36d28a50e32935b429
SHA1 6b0193d599b5d9cf4b2ab243e686dd2f10153326
SHA256 d53bf403d2922006f0c2aa29eecc5451e5903b2b8c97556a1bbce407f2c6afa8
SHA512 ad15375deec7008f8c1d4f6e977018873737fd37d1a6efcf000397475b044d240f93333fb8bebbf6fc90436d88f8e47df764fec9cfddad09e4e309df49bcd724

C:\6cVesywCa.README.txt

MD5 dd746ace17e44ace00885b91400f11d5
SHA1 4a0302d2dca400598f396e4230fdae71779cbeaa
SHA256 b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA512 8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

memory/3356-2491-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/3356-2542-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/3356-2535-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/456-2803-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

memory/456-2804-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

memory/456-2805-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

memory/456-2806-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

memory/456-2807-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

memory/456-2808-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

memory/456-2809-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

memory/456-2810-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

memory/456-2811-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

memory/456-2812-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

C:\ProgramData\3B99.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3944-2818-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/3944-2821-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3944-2820-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3944-2819-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/3944-2817-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 765fc2e8a465d4091435de3079edd9d2
SHA1 ee83d21e949a32de8b75d45bc1c1e31de9a0fefe
SHA256 9edb324418a15714968023f1e152302e6c68ef6a8976148b67392eaba4d9199a
SHA512 456dfea1fc60c513762766cc0bf5d9a03cec3e2aae3154703aa888bd6195fbcf7a654d24591d092ab8c9d9371a051d30c0b5e5536379c31c852694dd36dda66a

memory/3944-2850-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/3944-2851-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/456-2852-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

memory/456-2854-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

memory/456-2860-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

memory/3944-2864-0x00000000024D0000-0x00000000024E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{D1DF1398-4685-4951-B341-605B5ABAF796}

MD5 d0b88768aea99cd3779e640c5011b4f0
SHA1 46bbcb89d95ddcbfde90b9f44529390261e72b86
SHA256 99285a288be43afbf2321d0efa6a6dce073fae8f4b9ee444c95fe2f28df3710e
SHA512 a79f87abe49b4dc1f1d8647c011d39b49073c816c6b5efb80ee4a038329b4745bc817e39959fe0eccd7a42d2bdac52832cb040ae335c53b8573d85b6c9c944e8

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 2190c0911039fd51992863acdf22eedf
SHA1 c6a2927c6b140f65a3a1d537d4349c7dd104a33c
SHA256 e8ceb32269b24eb9cd2787144a6e1af7807d72461e73517d5e3670cee7c65ba6
SHA512 af406ed05f619da1b71aa016ad9811d24f98a76a59098b9694f7cc72af082e9e563b2fd8e31b3a7cfefbf037fbbbb5bee925e07cc85697b0f93256ffbd91c890