Malware Analysis Report

2024-11-15 07:21

Sample ID 240313-v4tk8sba3y
Target 2024-03-13_66b3e535355102fd0cede6506739e474_darkside
SHA256 9b3cd385077933c2a72cba58d23dcde77852818c3ce1a361baa5c6bbd915b82f
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b3cd385077933c2a72cba58d23dcde77852818c3ce1a361baa5c6bbd915b82f

Threat Level: Known bad

The file 2024-03-13_66b3e535355102fd0cede6506739e474_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (329) files with added filename extension

Renames multiple (579) files with added filename extension

Executes dropped EXE

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: RenamesItself

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 17:33

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 17:33

Reported

2024-03-13 17:35

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"

Signatures

Renames multiple (329) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\93C7.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\93C7.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NupqqeiS5.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NupqqeiS5.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5 C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5\ = "NupqqeiS5" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5 C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon\ = "C:\\ProgramData\\NupqqeiS5.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"

C:\ProgramData\93C7.tmp

"C:\ProgramData\93C7.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\93C7.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2020-0-0x0000000000350000-0x0000000000390000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

MD5 5b8bfc098813cddf9d7312fc296ecd0d
SHA1 503a450b3cd5ba3ff097caa9321b6a802dc1766d
SHA256 b5a57ad3dd2deeba4b74508c7ca1ba5f3cb30af77074e1153d212987192f812e
SHA512 26d95876f134b091533b165af8d89abfa1ff51da73e06d30ab59ac32bd002bdd26ac45b6fe7b4447eaf7802fc8e246c8cddab860a4842006f7b05150a3b8b99f

C:\NupqqeiS5.README.txt

MD5 fb07c785132ffb451b7865b5f8be8793
SHA1 6ef563addf7aa1bc0a99b70a621bd7ba430a9412
SHA256 369475944802faa69d76362094571070a549f9153e29cf5d54e5fd34e36ca0bd
SHA512 92f1dadc9de8a3dd1aee9b5310b66ca9d98b26e587cf298e8967995fb2974a842c57e4c1d3458575a1890997cb62151ebbfce679c520f9868ec2d6ffa022f8fc

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\GGGGGGGGGGG

MD5 58c95e73a02df8cfe7d7741f5e1cf751
SHA1 c33200ec051bbc3e044409f39ae9ec55a95887a3
SHA256 3048571e5ca3aa8b573b43eb404a45a0e465dc7342ee8340858d102a02523026
SHA512 80f0d0ff97db6e5b72fae648935974154169ebfca516510faeea90ce4a0132d35bdfe315101ca7a48a0d27048124e47509978001769b36b552719926a74c32d5

\ProgramData\93C7.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2468-846-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2468-848-0x0000000002410000-0x0000000002450000-memory.dmp

memory/2468-857-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2468-859-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2468-860-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 0ac760eb9419f5001c93c95015e08d96
SHA1 5f117ad05fbd7dac06dd979cce7ed7d559981dc5
SHA256 144c21c3975cd13d5888f316f074a082af4556373cb90556f031dddc294056cc
SHA512 13d660b3f5ad4ab143cd10d93cdcbb8c3608cedbff2f9ef716db112d3aa32ebced57063f3c88dd5ef59e58826ef50f9fbb39dee9c628ceb84b228d8498e94025

memory/2468-880-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2468-881-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2468-882-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 17:33

Reported

2024-03-13 17:35

Platform

win10v2004-20240226-en

Max time kernel

126s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"

Signatures

Renames multiple (579) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\ProgramData\8B88.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\8B88.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\8B88.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP8jj73szlaimy_5208wggvud2d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPjoe_ihtvy1g7rsabt4v07p_tb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPsggdne2sy8zuainzzq6_70pf.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NupqqeiS5.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NupqqeiS5.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5 C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon\ = "C:\\ProgramData\\NupqqeiS5.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5 C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5\ = "NupqqeiS5" C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe C:\Windows\splwow64.exe
PID 1792 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe C:\Windows\splwow64.exe
PID 3056 wrote to memory of 2496 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3056 wrote to memory of 2496 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1792 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe C:\ProgramData\8B88.tmp
PID 1792 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe C:\ProgramData\8B88.tmp
PID 1792 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe C:\ProgramData\8B88.tmp
PID 1792 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe C:\ProgramData\8B88.tmp
PID 1160 wrote to memory of 1664 N/A C:\ProgramData\8B88.tmp C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1664 N/A C:\ProgramData\8B88.tmp C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1664 N/A C:\ProgramData\8B88.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5D406187-31C6-4183-83E1-734BB85DB859}.xps" 133548247971320000

C:\ProgramData\8B88.tmp

"C:\ProgramData\8B88.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8B88.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/1792-0-0x0000000002960000-0x0000000002970000-memory.dmp

memory/1792-1-0x0000000002960000-0x0000000002970000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-983155329-280873152-1838004294-1000\GGGGGGGGGGG

MD5 c5a51ecac1fe2b0bcaffd5b4500bbd85
SHA1 7040dd609f5541e72b06dd682d1040f97c30ae56
SHA256 6b27efc22de613a15c72dd80a03cb85ed394799915c1e65df42c2b6f97e4f55b
SHA512 98a27a50a52dca6e212fd8decb3710255d6b16b38c33d9ea4bfb0f400180fd0e8c13ed582d3d64efb57a5f023cf7854903be7d7ccd614a4ba3d4a25ce24beb88

C:\NupqqeiS5.README.txt

MD5 fb07c785132ffb451b7865b5f8be8793
SHA1 6ef563addf7aa1bc0a99b70a621bd7ba430a9412
SHA256 369475944802faa69d76362094571070a549f9153e29cf5d54e5fd34e36ca0bd
SHA512 92f1dadc9de8a3dd1aee9b5310b66ca9d98b26e587cf298e8967995fb2974a842c57e4c1d3458575a1890997cb62151ebbfce679c520f9868ec2d6ffa022f8fc

F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\DDDDDDDDDDD

MD5 a08dffe66a3c954418b270007104dcc5
SHA1 c24ad9e8583e637e15054cce6cf5e1812be086d8
SHA256 282fe4450e53d463fe5a4c3472ea8a6317514503c944f2be923a1c4fca5a8a02
SHA512 3f972f721900a6aa6e90f2b161f3bb4baf4ae9d818e8a7fc5d056815c67d980f0b83837dbaaed8f5d4d9f12325b2f17a16e459b4248e534e24ce848fbe178d1f

C:\ProgramData\8B88.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1160-2775-0x0000000002570000-0x0000000002580000-memory.dmp

memory/1160-2776-0x0000000002570000-0x0000000002580000-memory.dmp

memory/2496-2777-0x00007FF9CD6B0000-0x00007FF9CD6C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 efce452d69e6ffcfd5eccc5db3b68344
SHA1 eca01aab9ff22bb85acb893ad74a7bb3292811d9
SHA256 ca1f05b947b40db800463bb6635b8a04b2d3525668f7454b4a8c63df42000fcb
SHA512 d26d925ec5f878044041d4a49926828da9d43078b56c641dc73c5ca9f7747c08e99773042f2f0ea7b9a664ded3ef800f436c0fd163c30877c77af1b9e91774f8

memory/2496-2746-0x00007FF9CD6B0000-0x00007FF9CD6C0000-memory.dmp

memory/1160-2745-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1160-2780-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2496-2779-0x00007FF9CD6B0000-0x00007FF9CD6C0000-memory.dmp

memory/2496-2782-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2781-0x00007FF9CD6B0000-0x00007FF9CD6C0000-memory.dmp

memory/2496-2783-0x00007FF9CD6B0000-0x00007FF9CD6C0000-memory.dmp

memory/1160-2778-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2496-2784-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2785-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2786-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2787-0x00007FF9CB4B0000-0x00007FF9CB4C0000-memory.dmp

memory/2496-2788-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2789-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2790-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2791-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2794-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2793-0x00007FF9CB4B0000-0x00007FF9CB4C0000-memory.dmp

memory/2496-2792-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2795-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2796-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2797-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2798-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2799-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2800-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2801-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{32614196-314B-426B-88C8-3A532A41AF54}

MD5 c41baea6784546eee8bd713bf1945a02
SHA1 6194c32db6cdca0a87ea90d9934d3914e758f1a9
SHA256 fbec759ab01c14f3890fffaccc219e144e4d2b0fcbb2faf678bae70553ea813a
SHA512 960bfb4fc1137a9944094d21e71d9d270d9347815418c40cf657ad4ab03f9a5591418d3afd0631eb416d8ff869f485e41a51bbbc7fec1797ee2e5fcc00c4cb97

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 339ae20457a4d7856c69b65096a39df9
SHA1 85ee28a115d8a431767305d0059f0c9d8f726209
SHA256 0d5f1aba7d2329bc69271a0de49c995c4693e5f7f9facec790787329c6ef33b6
SHA512 cc291e99dcc5b9a7fb5f0f0bd7ad6935c69126e918b23d8814f6d5ab32bc47377e3fbabc81adb6336aed40c0208a6c1536c5d6e68fd5ca4e6921b2c5d1efa4dc

memory/2496-2823-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp

memory/2496-2824-0x00007FFA0D630000-0x00007FFA0D825000-memory.dmp