Malware Analysis Report

2024-11-15 07:22

Sample ID 240313-smn83sab45
Target 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside
SHA256 c0afa7d1d390d4d6310be70c31a01fb668521fb33a2b3239e41f3e8231451eac
Tags
lockbit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0afa7d1d390d4d6310be70c31a01fb668521fb33a2b3239e41f3e8231451eac

Threat Level: Known bad

The file 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Deletes itself

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 15:14

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 15:14

Reported

2024-03-13 15:17

Platform

win7-20240221-en

Max time kernel

121s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2F89.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2F89.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"

C:\ProgramData\2F89.tmp

"C:\ProgramData\2F89.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2F89.tmp >> NUL

Network

N/A

Files

memory/2948-0-0x00000000001A0000-0x00000000001E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini

MD5 c1e4e7609e7f2744a8d9a79f7aa7ecac
SHA1 b0338d8cf096b0d5a38af6b89980622f4eec9c3c
SHA256 78c2fce0fbfb5d72ac6e3d4e60023e58d205b28f09ee7a4bb070fbd77440425c
SHA512 37bd2373d3203cfd63a0ee3c03052fe1a2955ab144e9718b370e3139235282ccbe03fd89763fc3f602799c82dd006f0bd30534660858e5078d3df04b4d6e6deb

F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\BBBBBBBBBBB

MD5 dd4975b2727eb600065d326ea4320c84
SHA1 ab8f89c06026fb1894260212da8f5e249338d6a3
SHA256 a2c64a45622e2b489b8b9870ee68e0bac77f5eb34e81fcdc513343a7f2cfd724
SHA512 d9364e05f6708a409c4da3b2e0007826cb22df8b41ad98cc8ca1253a4f4800a5865b7f7cf0e68527ca75ae93170cd304ef794fa1cbc69b112212068f709b134c

C:\PD9tZdd3p.README.txt

MD5 3c30a01742ea1df843789b45788be189
SHA1 fccfb826237ba1d9bf28c938837b76522b864532
SHA256 d3ac4e88de00362317d3aff94930598ef32d3da8d67eebbf03f01d19fd297876
SHA512 b0bc1a90f83813d4b9c8ee01b5c718381bfef2675140602753a24c033fa3b352e68a556988d4bc3d718d08a1564245bd634f26e96095e94c1605a9213d570a2f

\ProgramData\2F89.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/460-851-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/460-852-0x0000000002210000-0x0000000002250000-memory.dmp

memory/460-856-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/460-858-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 61e9031bde6efcb02a2e65f3eb99a4f5
SHA1 c64db47e6023937a840826132486966e5f34c8e4
SHA256 0c10eee03498c0e008b1a5471638e5d81da2051cc896b0ce8cae74f99284fbc6
SHA512 0eb4ed73e5ef3cd0a765f82cbcc8d5410313bbab4aa6ff62950c95d4e507723b5d8b026f748c28bee6203f8f054d09f1ac6171f4dd96493c18bdc63d6c8b5235

memory/460-883-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/460-884-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 15:14

Reported

2024-03-13 15:17

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\ProgramData\D0C.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\D0C.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\D0C.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP7wn8itlda1wdtcbxafgp7d7wb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPh0jaylcpv2m4k5m93gitgdjld.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPkg6olrnyc705vluhii6gztrxb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe C:\Windows\splwow64.exe
PID 4924 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe C:\Windows\splwow64.exe
PID 2964 wrote to memory of 3804 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2964 wrote to memory of 3804 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4924 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe C:\ProgramData\D0C.tmp
PID 4924 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe C:\ProgramData\D0C.tmp
PID 4924 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe C:\ProgramData\D0C.tmp
PID 4924 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe C:\ProgramData\D0C.tmp
PID 1428 wrote to memory of 2636 N/A C:\ProgramData\D0C.tmp C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2636 N/A C:\ProgramData\D0C.tmp C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2636 N/A C:\ProgramData\D0C.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{FBD4FDDC-1799-4080-AB23-2B495EC67C7C}.xps" 133548165133840000

C:\ProgramData\D0C.tmp

"C:\ProgramData\D0C.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D0C.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 137.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 65.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4924-0-0x0000000002960000-0x0000000002970000-memory.dmp

memory/4924-1-0x0000000002960000-0x0000000002970000-memory.dmp

memory/4924-2-0x0000000002960000-0x0000000002970000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\AAAAAAAAAAA

MD5 ae7915ec1e469888401ffc1bd5a7ef9a
SHA1 729ffed25005716ae17441088f4eb2d7e7acc73a
SHA256 62390ea6672eb242fcc7391dbeee43e2ba0c3e2d2bb377e4e8ec17cea63947e3
SHA512 50921d57021e9f6f111c8dd3dccd8ece5e91c710840b0abc0207e801cbace9a7b4a3bba51c988154ba12d2cd778c7bc0159581fa6d39f41b4a2c324b6bdcacbf

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\EEEEEEEEEEE

MD5 5bf01a57f80a8b802ff42b7cef1baaba
SHA1 49e7d2cc79e18feb9e06ee0adb7d676b5896307b
SHA256 7dff78ae76c4966cbb596f89b1b177beed733c42d2ade8ca9591bd59d3bf490f
SHA512 9e95744f0e01269e0b9ff1888749a44f1bacf0e4107d6f56223056dba65e9cfcaf23874d0df18ff5d16cc0f226d0db86f3bee9d2026efe5a17629505dd0650a5

C:\PD9tZdd3p.README.txt

MD5 3c30a01742ea1df843789b45788be189
SHA1 fccfb826237ba1d9bf28c938837b76522b864532
SHA256 d3ac4e88de00362317d3aff94930598ef32d3da8d67eebbf03f01d19fd297876
SHA512 b0bc1a90f83813d4b9c8ee01b5c718381bfef2675140602753a24c033fa3b352e68a556988d4bc3d718d08a1564245bd634f26e96095e94c1605a9213d570a2f

memory/4924-2735-0x0000000002960000-0x0000000002970000-memory.dmp

memory/4924-2736-0x0000000002960000-0x0000000002970000-memory.dmp

memory/4924-2737-0x0000000002960000-0x0000000002970000-memory.dmp

C:\ProgramData\D0C.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3804-2752-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/1428-2753-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3804-2754-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/3804-2761-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 ab37d27f5a2fdf24ccaf91ade1f96b6a
SHA1 2029cdb52d7216ea5c79d4974a2630a6d98f38f1
SHA256 8fe62239224687d2728e00fd047237c76fac41cdc37fbad67227ed08f3e295e5
SHA512 0e3a37f0d449874b00f6bc9bcd6c137d939e8230da32fa601fcedb3253d4240aaf72353947f1821cea60b052b3eade2302fd0eea16161e88c0783bef62996005

memory/1428-2755-0x0000000002630000-0x0000000002640000-memory.dmp

memory/1428-2785-0x0000000002630000-0x0000000002640000-memory.dmp

memory/3804-2786-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/1428-2787-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1428-2788-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3804-2790-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2789-0x00007FFF1AD10000-0x00007FFF1AD20000-memory.dmp

memory/3804-2791-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2792-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2793-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2795-0x00007FFF18910000-0x00007FFF18920000-memory.dmp

memory/3804-2794-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2796-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2797-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2798-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2799-0x00007FFF18910000-0x00007FFF18920000-memory.dmp

memory/3804-2800-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2801-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2802-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2803-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2804-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2806-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2805-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2807-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2809-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{3F288CA6-547D-4647-B03E-704A8AC8D19A}

MD5 1b9535c7df4f92e3c836a234a89a5614
SHA1 a86ca7ede9eaa11e2ae0452f1257a6f7298febe8
SHA256 d19c9a109966b4aee274e7c2f0253fd146d83b31db16f780c00451b86e21db7b
SHA512 0ca63ccb9e71787f0aaca1e4205d87903bfe61465ecaa7e78d0c066cdec2c9e2d5f5dd4c98456a483b06607106d7da5b2c1d832b6681f19cb3c12054155c73a8

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 6889a9288f74e3aeaa9cbdd9914b4b73
SHA1 633fe07dc8479df849dabc1698e11e7442b9c68e
SHA256 d8a1bcda46149cf1db09d2db349dae09da9939c8f06541249a0f5fa5b903f3c5
SHA512 6612fa7d0a1af82aa52c52e5284da8674de3aee577f5b78b7c3d5045c4f63b2aef42b14a08edb37fb4d43c0de847d9d15fecf9db5997985769193bb7035c5df9

memory/3804-2830-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp

memory/3804-2831-0x00007FFF5AC90000-0x00007FFF5AE85000-memory.dmp