acff52603661d22885a36c7114be3278aaeecdf06d47ab554fc4173979aa2baf | Triage

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 03:29

Sharing

Report Analysis Logs

General

Target

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Size

144KB
MD5

a925cd24c02dd75fb48c6db87ee43f46
SHA1

4c6d15029d1457d011f89b21fc0c61157b13a3b3
SHA256

acff52603661d22885a36c7114be3278aaeecdf06d47ab554fc4173979aa2baf
SHA512

ab4e75139badef3533bff0ea7ca545a11f3833c82bb30e3abaa27841b296962773e745dd96111c06b0a0caac63d16ee41630b0f192c0a3f6187d00e81e81c77f
SSDEEP

3072:IqJogYkcSNm9V7DRrTLdNF+qjFe0qtHWT:Iq2kc4m9tDRZNFDjFed

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5333) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 1 IoCs

Processes:

pid process

864

Loads dropped DLL 42 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

pid	process
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
764
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

Drops desktop.ini file(s) 53 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe 2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

Drops file in Windows directory 64 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-devicepairingdll_31bf3856ad364e35_6.1.7600.16385_none_6dd996716463e8a5\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\msil_regasm.resources_b03f5f7f11d50a3a_6.1.7600.16385_fr-fr_e43f77eacfa46095\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e89d39c14603adac.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnhp004.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_776fcc965411f639.manifest.Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Catalogs\750bff242e69c84105f773e535270e3b0b4bc0983503c7ce6fb6c6f81acaf0af.cat	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_parameters.help.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tzutil.resources_31bf3856ad364e35_6.1.7600.16385_it-it_04361f65b5251181\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_mdmbr005.inf_31bf3856ad364e35_6.1.7600.16385_none_c18fa02953594dc3.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_498bf70775dfa1a7.manifest.Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14400aaa57809682.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_ja-jp_licenses_oem_startern_59d7c914bb5f7cc8.cdf-ms	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d2b49ecccf5f45bf\prnhp004.inf_loc	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ackgammon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1970b11cfb70c9ca\bckgzm.exe.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..rectplay8.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5606b264d36ad10\dpnsvr.exe.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mssign32-dll_31bf3856ad364e35_6.1.7600.16385_none_2628bf25f41e9a5c.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ntfs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_40a72e2477e646bb.manifest.Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-d..w-devenum.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca43fe10f5245471.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_inf_msdtc_0410_5b1b81bd4f36c80b.cdf-ms	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_syswow64_sl-si_b8f1e2684fb16c1c.cdf-ms	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..itiator_service_mof_31bf3856ad364e35_6.1.7601.17514_none_0793641fcc6ca405\iscsirem.mof	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_476e370068602811.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-s..licytools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_13b2b69fa0534c0b.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..maker-mof.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fbf054e3704f46b8\polprou.mfl	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_114c52d204a5e41d\System.Xml.Linq.Resources.dll	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_bthprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_93dfd9dabe50a1bf.manifest.Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..shell-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_71be2beaee655289\TabletShell.adml	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_9616b4da8e0572c5\ntmarta.dll	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..p-support.resources_31bf3856ad364e35_8.0.7600.16385_en-us_b9a1c8ae2a0faa63\ie4uinit.exe.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..w-capture.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31e3dae361181ead\qcap.dll.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-netsh.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dec77b5df8042931.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_fr-fr_a1412f0fc401018b\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.17932_none_68c05c919281774d\api-ms-win-core-interlocked-l1-1-0.dll	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\dial_lrg_sml.png	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.17514_none_f0e8f05be1d66e78\msxml3.dll	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_81a6749c9aa1bbea.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..plus-admin-comadmin_31bf3856ad364e35_6.1.7600.16385_none_313785582054d3f3.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_wiabr005.inf_31bf3856ad364e35_6.1.7600.16385_none_08654b54b1d79d24\Brmf3wia.dll	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_wdmaudio.inf_31bf3856ad364e35_6.1.7600.16385_none_bc5c4aba33d6af68\SysFxUI.dll	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_hdaudss.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f9a7fe929c4cabea\hdaudss.inf_loc	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eef659347969869d\infoctrs.dll.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.resmon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c2388284f453aa72\resmon.CHM	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\amd64_msports.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_92d1a7c00a2dc68a\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ipconfig.resources_31bf3856ad364e35_6.1.7600.16385_en-us_23d220931769f95b\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netfx-fw_perfcounters_b03f5f7f11d50a3a_6.1.7600.16385_none_239c9c8a8e93c65b.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_wsdapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_03d97b7f49467880.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_system.design.resources_b03f5f7f11d50a3a_6.1.7600.16385_en-us_15eb0b0ebafa6b14.manifest.Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setupcl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_98c6a5dbf3a1f31f\setupcl.exe.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000201a_31bf3856ad364e35_6.1.7600.16385_none_5866b6ca704d85a8\KBDBHC.DLL	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_703a658bb8025c25\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\Microsoft-Windows-ICM-Profiles-DL.man	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_hpsamd.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_01d63bab2c631eee.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_system.workflow.componentmodel.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dae5d518096dcf8e.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f28e7912462bac7f\autoplay.dll.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-shgina.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ddb9a5ed83abc8de\shgina.dll.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_it-it_25065454bdb5579f.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..lus-setup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2718288e93ca31b8.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-com-legacyole_31bf3856ad364e35_6.1.7601.17514_none_41230ef33088513e\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..ybinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_236194a7f35b6270.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_de-de_62497c70b6d3816f\SystemPropertiesAdvanced.exe.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..perftrack.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_436dfbe3afd233fa\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\amd64_prnle002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4160604d88a42500\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-icm-ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6b38fd80c04a1d08\Q9dvwfMde.README.txt	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fc675397c4309dd0\loadperf.dll.mui	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c.manifest	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Q9dvwfMde\ = "Q9dvwfMde"	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Q9dvwfMde\DefaultIcon	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Q9dvwfMde	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Q9dvwfMde\DefaultIcon\ = "C:\\ProgramData\\Q9dvwfMde.ico"	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

pid	process
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeBackupPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeDebugPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: 36	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeImpersonatePrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeIncBasePriorityPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeIncreaseQuotaPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: 33	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeManageVolumePrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeProfSingleProcessPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeRestorePrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeSecurityPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeSystemProfilePrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeTakeOwnershipPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeShutdownPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
Token: SeDebugPrivilege	876	2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-04_a925cd24c02dd75fb48c6db87ee43f46_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini

Filesize
129B

MD5
d83a667443aeeb0ba7d2a4e3837c4cce

SHA1
488980177a5d490cd9ae17355628cf8d74b7788f

SHA256
0f25b555054184b5556b5be4816c90a0a239bfddca24b61fef33715f79d2d709

SHA512
b33900f2d6a92db0f6faa4f3a6b94bb7c5f44ef680be1cab22e61c09e712d5709292f6ddd13d6230e1774dee510805bea614fa5651ae4ee6ec231d3e76fcb437

Download Submit
C:\Q9dvwfMde.README.txt

Filesize
65B

MD5
2a48a53c88625db8633b6e215c56aa19

SHA1
360c270064c95eb317bc1441309838c595729fa3

SHA256
4bc9a92ffdd57b151922361f143a06bc49139dfc0f6074b3628c3d40207ca393

SHA512
1f7281bf85e4be0540156d32e3027d9c61eb237a6febfbfad3f6f7f7bd8d00492933de436a25db8e82c56cfd0c97667c32b9fabd4904ca929f2c0b6618f8fab9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\DDDDDDDDDDD

Filesize
129B

MD5
ee8615ab279ee3e4ed04226e47142f99

SHA1
5f6033bdadaec4d9871cc8f17796731942939c5b

SHA256
ed24d9244c30e77b394fe314603d155d2773e3b1a5da2bbe657a049f4e3b6be3

SHA512
66c5dfb614477537a8b86779f41b760e4e4909303306ebf54152612c613a5d1217461eef4b3995c7afb1039ed22c9d59f0f4b0bea0f6d80c56d63d2c1ecc01aa

Download Submit
\Windows\SysWOW64\bcryptprimitives.dll

Filesize
243KB

MD5
e8449fe262d7406bcb2ac2a45c53ec5f

SHA1
f76bb1b4d0ad47f68f8381281f87839304c252ea

SHA256
6c118c9fb26404d1943824cf3990f36e12986547ffacb7cc0df975a913065d78

SHA512
94c6fd6f3945161b86bf4ce703e8324ad6514f058fe1a859dd89a39c923fb0dff461aba65c737938e48d834b29156e7fcdcc4c24207a2a3146aa78fbabe79caf

Download Submit
\Windows\System32\RstrtMgr.dll

Filesize
184KB

MD5
a7d4e2c269301bea243676ed56f8b4ff

SHA1
a78533aac1856842a3a98eb9d1aa3957716ecfa4

SHA256
1a86feaa2da6fcf8f0011a4b4a5dcb722bff03f3b29c9fc4d25a2b0f621e9416

SHA512
cfe26c84885e7ca9f9238a3646f9c331d7ad7940d1e377a48cf1d450b6fac08ca02053127028b03c8f37abb1f47201149dbbdcbf62b5ed11e0dde130e00a3a32

Download Submit
\Windows\System32\es.dll

Filesize
393KB

MD5
4166f82be4d24938977dd1746be9b8a0

SHA1
5174036d781677f5444d9a23079baf18f4bbda44

SHA256
24121751b7306225ad1c808442d7b030def377e9316aa0a3c5c7460e87317881

SHA512
df60546a7b76fdfb47b963e109367d48a197744d468e96b9596ccde6e90ef01537a7147863b9d63ca7580b76d72a7570287d151711c2b2618f4f938df96af99e

Download Submit
\Windows\System32\svchost.exe

Filesize
26KB

MD5
c78655bc80301d76ed4fef1c1ea40a7d

SHA1
619652b42afe5fb0e3719d7aeda7a5494ab193e8

SHA256
93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8

SHA512
ebc9242cd81cf493e7b0358b32f9e658e10b68a3df6122e5ff1cba22020404758ba7514fa0a54ead090aa10af4d2c21ebb153a70a62a63519b69b5a133011bcd

Download Submit
memory/876-0-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download