Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 09:41
Behavioral task
behavioral1
Sample
2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe
-
Size
150KB
-
MD5
14e104b547415ec3f5487eba84a6ec08
-
SHA1
87f24d0a5a3454ff27b2084f8f7f56a5a447a063
-
SHA256
fd1cef0a0d3fa6ba930666430c455424d5eeb2a7eaf1027ffc61935c167cd8b5
-
SHA512
151ee246406474ee404cac2b9c1740f106f18a5ea7a72572f7aa7abeee41af0fff0ccda9d2290b08ab33dc8bd3e6c30a0af5068e209b775db31a0c49165bcac1
-
SSDEEP
1536:zzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDnQzrUdtgA3ZKjo+WTnU44ETVO1:sqJogYkcSNm9V7DSrUdpioNT4QVO8UT
Malware Config
Extracted
C:\rfcF8SdiJ.README.txt
lockbit
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (586) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation A3E2.tmp -
Deletes itself 1 IoCs
pid Process 1144 A3E2.tmp -
Executes dropped EXE 1 IoCs
pid Process 1144 A3E2.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP1f444fvmj64j8mcvrzmsyln3b.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPek9pb5k2_ipt1jcez4nnchqcc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPlj1kbq3aw390o8nb6wgsky87.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\rfcF8SdiJ.bmp" 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\rfcF8SdiJ.bmp" 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1144 A3E2.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A3E2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rfcF8SdiJ\ = "rfcF8SdiJ" 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rfcF8SdiJ\DefaultIcon 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rfcF8SdiJ 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rfcF8SdiJ\DefaultIcon\ = "C:\\ProgramData\\rfcF8SdiJ.ico" 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rfcF8SdiJ 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp 1144 A3E2.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeDebugPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: 36 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeImpersonatePrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeIncBasePriorityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeIncreaseQuotaPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: 33 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeManageVolumePrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeProfSingleProcessPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeRestorePrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSystemProfilePrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeTakeOwnershipPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeShutdownPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeDebugPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeBackupPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe Token: SeSecurityPrivilege 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE 4340 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3952 wrote to memory of 3476 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 94 PID 3952 wrote to memory of 3476 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 94 PID 4352 wrote to memory of 4340 4352 printfilterpipelinesvc.exe 99 PID 4352 wrote to memory of 4340 4352 printfilterpipelinesvc.exe 99 PID 3952 wrote to memory of 1144 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 100 PID 3952 wrote to memory of 1144 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 100 PID 3952 wrote to memory of 1144 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 100 PID 3952 wrote to memory of 1144 3952 2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe 100 PID 1144 wrote to memory of 1436 1144 A3E2.tmp 101 PID 1144 wrote to memory of 1436 1144 A3E2.tmp 101 PID 1144 wrote to memory of 1436 1144 A3E2.tmp 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-18_14e104b547415ec3f5487eba84a6ec08_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3476
-
-
C:\ProgramData\A3E2.tmp"C:\ProgramData\A3E2.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A3E2.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1436
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3996
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{6BDFC9B2-B405-4609-BCF1-F3BFE14CACA1}.xps" 1336844767748000002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD533cc6a9ee130f6d48a9d7c53729cb822
SHA1ff1cbdd1a7d32b781be94c9dd8f4fc66dbaaba7d
SHA2562e19018f093e8db87a2bc9cd84d853c8934cc949bffbbd6aca69d38f72ddb5b9
SHA512d461c4a5e463b1cf5eedc60f2719abe8710a4a7834254496b53379731fd84befe52705b5be4dd9b7875ff9d47f2ff62ff0f57173d3f18f4e2114bc2adb50e469
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
150KB
MD5e01d66962e7ceda8ec305cfc42cc0015
SHA1490e9257010fb27387bbc9cacc25db8267b75053
SHA256196e499fbe7ab55dbf72c8eedab32eb837cee7aca26c16139465c600eeb1db64
SHA5126afd48e6b8bb224b7cded574ae577edf1ee8741cf6bed12bbe4111eb44474882baceb794e394ea73b54b318137d5e2e42e7f1e6369a8c685a1fcae93e54c1b56
-
Filesize
4KB
MD5fd402a8f99f7d4ed2f756e71c12b24cb
SHA19eb1a9014e4282799032861d0a19022e4baf9ca6
SHA2562c5ef6f517e2420882887c6a4ad61c85fffe25fc782e9a1e750da4e858cae9e2
SHA5123de3f351783c3c97e537f47f1351dc6cafe0ee0e0d6c2befb9e32a6ec8e8e10724fcda9a71e766917afb47571d97c9107cb24ce0a0f0788441998331417b57ee
-
Filesize
4KB
MD50396fa2e3071eed67ccaa50767d415a4
SHA1494e219cba33d63b11f1d0e4be166db645320e54
SHA25612fbe1362d12137d29610952f0484d2c2b59c3719e99d33e93f5b4bfcce4850c
SHA5123a261d8866520e4a24d1680c14599b7451960e559077b9f671924c9fca34ec2d0f3ae2fb6ce034398b04378e3aa2a0dc2d5006a932beb1c89772d40c36202565
-
Filesize
3KB
MD5b9674de0868a93e9121bdb1d02d80130
SHA179d692fd03d3110a4358e2cc7442af9517489f3f
SHA2569268d24e96639cf4c0e8d74f9769092b415015692ea528820faaded6fc5b052c
SHA512b3264ad33eddedb2c18da883e2345247c762adc8a604991fce931cba06b86c361d23fa121e79d6c69948a2d5b9c1613139f401b971360d9d684abb5a61543c02
-
Filesize
129B
MD50e881007b350a45b8716ed87e4dbb6e5
SHA1be21d50a80caed26c8ec7615a8d8fe455a5cb0d4
SHA2562ec0c045f977cd9a516c93b208fcfcf382cbe61210b472170ad33a09520de139
SHA51291242e694733d7901df5ea6fbd84edbe6fa683d24726ed0bea593c0b85b7ada5597b3830637e99c903fa2b1e067eac5fbbe2d74ab1cdb4af9af7d23b30830847