lockbit | 442037de029939e4c234fca54a621c126172482afcd4a832beb24715df7d8235

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Size

153KB
MD5

6108e5ec22ef67c52473f04a6f68b91a
SHA1

ef45fd676e04c5506e7d8f383aabd96396012539
SHA256

442037de029939e4c234fca54a621c126172482afcd4a832beb24715df7d8235
SHA512

bca74b79dab4c2d80a34aac87250f7652fc969e50928669f804b024155bf7fd2526198769df3f84ce0d93977fee21c8caea3cc5c1083c2b9cf66f17c9f28024a
SSDEEP

3072:uqJogYkcSNm9V7Dl7GbPxQgr9dIZyhhyT:uq2kc4m9tDl7GbPnr9KZe

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Sjn6OybIL.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2077~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	D5EE.tmp

Deletes itself 1 IoCs

pid	Process
2448	D5EE.tmp

Executes dropped EXE 1 IoCs

pid	Process
2448	D5EE.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPz370g69nz1m7grwwcqwqg5oib.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPaz17eju6p0kp5hkijroysqs0d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPweueclqsgtd80wius0hlft80.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Sjn6OybIL.bmp"	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Sjn6OybIL.bmp"	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2448	D5EE.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D5EE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Sjn6OybIL	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Sjn6OybIL\ = "Sjn6OybIL"	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Sjn6OybIL\DefaultIcon	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Sjn6OybIL	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Sjn6OybIL\DefaultIcon\ = "C:\\ProgramData\\Sjn6OybIL.ico"	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp
2448	D5EE.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeDebugPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: 36	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeImpersonatePrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeIncBasePriorityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeIncreaseQuotaPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: 33	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeManageVolumePrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeProfSingleProcessPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeRestorePrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSystemProfilePrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeTakeOwnershipPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeShutdownPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeDebugPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeBackupPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
Token: SeSecurityPrivilege	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE
1432	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 932	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe	87
PID 4680 wrote to memory of 932	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe	87
PID 224 wrote to memory of 1432	224	printfilterpipelinesvc.exe	93
PID 224 wrote to memory of 1432	224	printfilterpipelinesvc.exe	93
PID 4680 wrote to memory of 2448	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe	94
PID 4680 wrote to memory of 2448	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe	94
PID 4680 wrote to memory of 2448	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe	94
PID 4680 wrote to memory of 2448	4680	2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe	94
PID 2448 wrote to memory of 3664	2448	D5EE.tmp	95
PID 2448 wrote to memory of 3664	2448	D5EE.tmp	95
PID 2448 wrote to memory of 3664	2448	D5EE.tmp	95

C:\Users\Admin\AppData\Local\Temp\2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_6108e5ec22ef67c52473f04a6f68b91a_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:932
- C:\ProgramData\D5EE.tmp
  "C:\ProgramData\D5EE.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D5EE.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3512

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{58BEE53F-1D0A-40E1-AA51-CE2659767ED2}.xps" 133713542022690000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\UUUUUUUUUUU

Filesize
129B

MD5
2ffbfc0e3e107347bd511cafc874f1fe

SHA1
da655ae82c79b7bcc1ad088d0aca0b27354805b4

SHA256
097f3496eccedd9701ec6b410c1b5beef8403c8f4dda920ee00f39650401635b

SHA512
74b6b9e0d0d23fd7b5799bb09cbf3ee979fd9f30b11ec8bb4ce19e52d03823cf74f72b23b895aac78b38cddf8f923fce5e13308875155a7ecf37f711562b0bbb

Download Submit
C:\ProgramData\D5EE.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Sjn6OybIL.README.txt

Filesize
6KB

MD5
f9366230690f4341bc9c9d958d042cc0

SHA1
9ae05629d0cee0b7e0d1a87e0ec812575c7cfe68

SHA256
53e1aff3d9bdee7c6c0068f5553d88fca8f1399007fb47372717397d06d8f433

SHA512
42af70bc2e1109633e259fc8a65650b1d8ff4d41456abcb39b4aba80c68d711192f2a21da3c9889fc71e7624692f0ddd3216c570ad8b67c48f09f180f11f8931

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
153KB

MD5
2ae85204a4e01606309fe9ef7223dbb9

SHA1
528a56d6d2bbdf80a509656dff10e84bde1e8a04

SHA256
0c8a6e2cd24f32b12743f28cddd37adaa8b6cdffebfdfa694c5c10589f9e8f93

SHA512
20cf1ce12a5d4a9543458c89ff3c2d8dd6fc9aa506ac27abc5be59ea1feb6ee674dc4b1e9bc253474a709167eb59e410c648888acadf3f795b1dc3d9c2598eaa

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
779d0b764163310e2ac10652d5986d8e

SHA1
e98dd13c4a4103eb4fb15bcf8e633dcce79b6b84

SHA256
97dc6ed2565867a9ab02717ad9dea3f41a716e41fad9293251e3215f12bc16c0

SHA512
d192115d04673bb56f45a32e0627176f654c9a25a23838679db63b3259001c00f855b3eaccce1866ea85f7d1e8a60527cb57b5cfa3985fffe98bcfc5519b5888

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DDDDDDDDDDD

Filesize
129B

MD5
ccb28689c831013a36a720e1a0f679c9

SHA1
d375a7945c386451704fc08806230bfff3010cd0

SHA256
4d058e34d9a656a045b582a9144c9acf9c47ff9be20b6b59e025632ae1ecc237

SHA512
6bdc64293ea226787668800c20b12a164da7ba6fce48af994e4c75c5772e4eae82504b342e10d95e75286cf71c9fe140817f96ac88d49bef8899b7b9d9c50b47

Download Submit
memory/1432-2935-0x00007FF968650000-0x00007FF968660000-memory.dmp

Filesize
64KB

Download
memory/1432-2932-0x00007FF968650000-0x00007FF968660000-memory.dmp

Filesize
64KB

Download
memory/1432-2934-0x00007FF968650000-0x00007FF968660000-memory.dmp

Filesize
64KB

Download
memory/1432-2933-0x00007FF968650000-0x00007FF968660000-memory.dmp

Filesize
64KB

Download
memory/1432-2936-0x00007FF968650000-0x00007FF968660000-memory.dmp

Filesize
64KB

Download
memory/1432-2937-0x00007FF966480000-0x00007FF966490000-memory.dmp

Filesize
64KB

Download
memory/1432-2938-0x00007FF966480000-0x00007FF966490000-memory.dmp

Filesize
64KB

Download
memory/4680-2921-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4680-2920-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4680-2-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4680-2919-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4680-1-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4680-0-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download