Resubmissions
31-05-2024 13:30
240531-qr8geaac2v 1029-05-2024 05:43
240529-ge1rcsdb45 1028-05-2024 19:03
240528-xqm8eagc5v 1027-05-2024 12:51
240527-p3xcvaeb62 10Analysis
-
max time kernel
905s -
max time network
449s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 13:30
Behavioral task
behavioral1
Sample
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe
Resource
win11-20240426-en
General
-
Target
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe
-
Size
153KB
-
MD5
b513460bd1a37456bc6b9d94a1bf4902
-
SHA1
26a32e368bfedebfcee03bd91f803f81d17dfc31
-
SHA256
be97362c0dfc5b5e7553d3a98f53281b5b75f0e980dec23e2ed6ea704bd2d784
-
SHA512
8b55942e6425298a601e037efc7737dc47e364108c0d5d216296d858582684490cad0eb571e8fe4a32d0f754676632c92cca42ec8304a2ccfc4c1c2ebd1959a9
-
SSDEEP
3072:TqJogYkcSNm9V7DVnRobzucXlABZ7bMDztv11nIxT:Tq2kc4m9tDVnRMn1mMDztvY
Malware Config
Extracted
C:\Users\FbSs2iXWU.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (550) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
A634.tmppid Process 3596 A634.tmp -
Executes dropped EXE 1 IoCs
Processes:
A634.tmppid Process 3596 A634.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2994005945-4089876968-1367784197-1000\desktop.ini 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2994005945-4089876968-1367784197-1000\desktop.ini 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
printfilterpipelinesvc.exesplwow64.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\PPo82yli5g__d5straxjufkkkae.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPzfiiwbg1x3e_cgcb_5px209l.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPbk1iqxvn_rhtf1b700h3bhejb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\FbSs2iXWU.bmp" 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\FbSs2iXWU.bmp" 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
A634.tmppid Process 3596 A634.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FbSs2iXWU 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FbSs2iXWU\ = "FbSs2iXWU" 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FbSs2iXWU\DefaultIcon 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FbSs2iXWU 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FbSs2iXWU\DefaultIcon\ = "C:\\ProgramData\\FbSs2iXWU.ico" 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
ONENOTE.EXEpid Process 4064 ONENOTE.EXE 4064 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exetaskmgr.exepid Process 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
A634.tmppid Process 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp 3596 A634.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeDebugPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: 36 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeImpersonatePrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeIncBasePriorityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeIncreaseQuotaPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: 33 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeManageVolumePrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeProfSingleProcessPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeRestorePrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSystemProfilePrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeTakeOwnershipPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeShutdownPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeDebugPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeBackupPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe Token: SeSecurityPrivilege 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
taskmgr.exepid Process 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
Processes:
taskmgr.exepid Process 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe 5108 taskmgr.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
ONENOTE.EXEpid Process 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE 4064 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exeprintfilterpipelinesvc.exeA634.tmpdescription pid Process procid_target PID 3140 wrote to memory of 452 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 79 PID 3140 wrote to memory of 452 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 79 PID 3000 wrote to memory of 4064 3000 printfilterpipelinesvc.exe 84 PID 3000 wrote to memory of 4064 3000 printfilterpipelinesvc.exe 84 PID 3140 wrote to memory of 3596 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 85 PID 3140 wrote to memory of 3596 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 85 PID 3140 wrote to memory of 3596 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 85 PID 3140 wrote to memory of 3596 3140 2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe 85 PID 3596 wrote to memory of 4524 3596 A634.tmp 86 PID 3596 wrote to memory of 4524 3596 A634.tmp 86 PID 3596 wrote to memory of 4524 3596 A634.tmp 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b513460bd1a37456bc6b9d94a1bf4902_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:452
-
-
C:\ProgramData\A634.tmp"C:\ProgramData\A634.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A634.tmp >> NUL3⤵PID:4524
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4680
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7D28CB3F-43E1-4B1A-A6A7-7732D99F7638}.xps" 1336163586452600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f8d534df11b81048cd2be6bf51ec8d5f
SHA11f726729641e62d0f5db25bf88bf2f8a4cc59443
SHA2561ad94ee84868d55d42fcc93d05dc1e554964e6ff0d32a8a67924205ffdd309cd
SHA512ec2f98763db4296accaa2e81fc35a399b6c6e6debdf5ae812054cbcd52eb88c52f1bb03e2fa75996efdfd2bd517ead2b88bfe42c68af294ca6f5ffd2dc2a2787
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
13.0MB
MD582504b1c2b24d6ebe98c75f68cec2bb3
SHA1cbc336a156726fd8d1069b058b35f42b2f7adddc
SHA2565bad6bead55ec1f5eab817c8a50c8902af7f47ee60214550da87a792f3a08a43
SHA512a672d066bbd6861045dc02524e2a2eb95a9f26fe5a96d56a4bd594b785a0179539800bf8910174d7b7eaf739fab89fb4abf7d372c0f5ddbae1b4a24e20470abd
-
Filesize
153KB
MD5b2966b7ef4b5be46aae7c2a85c7987ec
SHA11e36f87e3ae0cf22b0bb366de9f1d1697808177d
SHA2561921f5efff21434f269b201611892859d4648152cd536715ed8f2347881caf25
SHA512ecbed154166c99158e56c04e476583b000f1915dd05d85af6961d482159d104c00d131aaebc95eed820bed17d585722c821fadc2da69f82f449fe80f6c758028
-
Filesize
4KB
MD50e6d04e102fa46510584354e131331ff
SHA1c877fb5991fc560cb7c202392b17c2927665325f
SHA256c7d18b8789de70a301c51955119d3f1bc5a696b2c3551cc856e17f916be0eb7b
SHA512eac79a8c0b0b6e18a0cf842b6ac4c23815dca211efe934680bebfeb80efc33038a91ea88e04e97538d4082ed626a60639f73e2ad1d5d35c123e4bfbec5e97986
-
Filesize
4KB
MD58f0922697ce22047aa087499aeea7695
SHA12d78ee006abf453a0c10d976c3d95f51b218f768
SHA25670583bfd502503245587523c5edfa30831bf07bd5757221055f6163427cbd712
SHA5125a318ba0a4173fca60965942479794dd9d09784c921c32262cdec319f58f8f2923225bb5f23c476ee59929c775720f12b6987e6ad91fe5ed9a23107ed6a5a0ef
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
4KB
MD544041bcdd3aa6664fcbd3e5afcc1dfe6
SHA17a94647607244aafac201ef1dfc46b375c3c511d
SHA256a458a31e43553b4b1ee22c7bb087759ed6b4c50973bbde63a6ced013ecc156ed
SHA512c4894a4c2350cebc1222a1297f5afe6d9a0f1ab1c48c8b5889746ff37f534e29a4b240485f8362fe6dd7204ece0e4a017786af14d42eee3c760e6067a1af0c95
-
Filesize
6KB
MD5dd746ace17e44ace00885b91400f11d5
SHA14a0302d2dca400598f396e4230fdae71779cbeaa
SHA256b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA5128ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1
-
Filesize
129B
MD58c92c24ba0719bedfbe4dd446a9b1bd5
SHA1668f26673ecef503f2125b63c8526aeac11a8fae
SHA25659e172b96a131d85d77ee8fd038962c1e8d44b58f48160f43f1f2c76838b0e49
SHA512c641ff3aa3544b05664a0185d3f9346a1e6d3e0e825eb6a7ba88a1ce079624a5d1f89d475d57a071bb0ab5de167d8a50f857ba2d276e6a001e39e271c16d15d6