lockbit | 55b2351ca0356b5071b67ad88becdf41f35b6f0624142db61ad6bc5ae71f9c27

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Size

153KB
MD5

713c0b2580a14c603a3e8304a0ace305
SHA1

9485e1ba5f152838c0b0625f8cfebad17a6aa48b
SHA256

55b2351ca0356b5071b67ad88becdf41f35b6f0624142db61ad6bc5ae71f9c27
SHA512

3916fa104ac27294c4070cb032014e8b94b887255267a3930020eb6cc6470e32cf82ef8b333798955c93adf605708aa7e729d6f9697acbe727a6437c355d6b3d
SSDEEP

3072:8qJogYkcSNm9V7DXCMTANJR3I6yD7T/bmvWnT:8q2kc4m9tDScg34p6

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\ZkY0iHrYy.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2077~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Deletes itself 1 IoCs

pid	Process
2456	EB58.tmp

Executes dropped EXE 1 IoCs

pid	Process
2456	EB58.tmp

Loads dropped DLL 1 IoCs

pid	Process
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZkY0iHrYy.bmp"	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZkY0iHrYy.bmp"	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2456	EB58.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EB58.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallpaperStyle = "10"	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZkY0iHrYy	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZkY0iHrYy\DefaultIcon\ = "C:\\ProgramData\\ZkY0iHrYy.ico"	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ZkY0iHrYy	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ZkY0iHrYy\ = "ZkY0iHrYy"	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZkY0iHrYy\DefaultIcon	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp
2456	EB58.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeDebugPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: 36	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeImpersonatePrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeIncBasePriorityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeIncreaseQuotaPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: 33	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeManageVolumePrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeProfSingleProcessPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeRestorePrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSystemProfilePrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeTakeOwnershipPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeShutdownPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeDebugPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeBackupPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Token: SeSecurityPrivilege	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2456	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe	34
PID 2420 wrote to memory of 2456	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe	34
PID 2420 wrote to memory of 2456	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe	34
PID 2420 wrote to memory of 2456	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe	34
PID 2420 wrote to memory of 2456	2420	20240901713c0b2580a14c603a3e8304a0ace305darkside.exe	34
PID 2456 wrote to memory of 2560	2456	EB58.tmp	35
PID 2456 wrote to memory of 2560	2456	EB58.tmp	35
PID 2456 wrote to memory of 2560	2456	EB58.tmp	35
PID 2456 wrote to memory of 2560	2456	EB58.tmp	35

C:\Users\Admin\AppData\Local\Temp\20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
"C:\Users\Admin\AppData\Local\Temp\20240901713c0b2580a14c603a3e8304a0ace305darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\ProgramData\EB58.tmp
  "C:\ProgramData\EB58.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EB58.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini

Filesize
129B

MD5
f7bcc5ee3269604a396c3f61da495933

SHA1
b054e1ebe15bc5e60c2ece747cca51c89c9e3fb3

SHA256
fa156fb7ee91b520a165519bed180e73389827e220a156c363fcb6df1bbe5c83

SHA512
d1fc92946e8cf011218b593f4a44a8dca4fa1e0cf625abc034cca31521e614903129972543191fbfbf8129e07e974bdda424375a9c5fca6f254b210212404b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
153KB

MD5
7470283ed1eec720c6236a138bd7d9ca

SHA1
8b1bebb7ffcf4b42104eba914db7e98c8aa67858

SHA256
70dd289cc0a4adfd2bb9b9bf07299ab2f73e393094f4d67bed5e078610fb6877

SHA512
676d1771e5e52111287108c4d2429764ee5e1b3c7db1b4384f4c72b58b995e6e6af2e1e56771bd4ac0d02e5d88127e9090eaab3cc6c9841b547fe40b40ce0698

Download Submit
C:\ZkY0iHrYy.README.txt

Filesize
6KB

MD5
f9366230690f4341bc9c9d958d042cc0

SHA1
9ae05629d0cee0b7e0d1a87e0ec812575c7cfe68

SHA256
53e1aff3d9bdee7c6c0068f5553d88fca8f1399007fb47372717397d06d8f433

SHA512
42af70bc2e1109633e259fc8a65650b1d8ff4d41456abcb39b4aba80c68d711192f2a21da3c9889fc71e7624692f0ddd3216c570ad8b67c48f09f180f11f8931

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\DDDDDDDDDDD

Filesize
129B

MD5
e3e182c47fbb40ead8af9a449acfc513

SHA1
3e3409068672f6e461f8594838f6ca321526f371

SHA256
d104a672d322f06e970ab06eecb409bb6cc77b74f76326ec5cab6253f7b0934b

SHA512
341157f4e9d8dd719108697af976ad4468ad8004d18e619b21132cb759943256ca494dd775b3bcec94d88d6bdbfcdc63f464b6ab57429980f1192f2a34abdc8b

Download Submit
\ProgramData\EB58.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2420-0-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/2456-888-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2456-892-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2456-891-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2456-889-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download