Resubmissions
07-11-2024 02:22
241107-ctx7kateln 1007-11-2024 02:04
241107-cg9d3ashpa 1007-11-2024 01:55
241107-ccbbga1qhs 10Analysis
-
max time kernel
54s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 02:22
Behavioral task
behavioral1
Sample
2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
-
Size
153KB
-
MD5
768c44a8ca7375f504ef546e50218314
-
SHA1
605726530534b476abf0a940c118a74e1f0b7a19
-
SHA256
a8db150f736de8b8654c7390cee378aebb1a8f11c13869fe9e63c223e4376766
-
SHA512
167adaa6e9c3f3d73320388e10791e0e2ac1be9ccbdd9805a95b754699285f67682e0b6e218a0e1eedc962947feefa58582c1c5ed2387e1218faccab696f1249
-
SSDEEP
3072:FqJogYkcSNm9V7D3IzFIROodFQYNJIXoT:Fq2kc4m9tD3IzFloTzJa
Malware Config
Extracted
C:\pKSLKLNeI.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (601) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation A0B5.tmp -
Deletes itself 1 IoCs
pid Process 560 A0B5.tmp -
Executes dropped EXE 1 IoCs
pid Process 560 A0B5.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPt05ufn0mukjc4c9q9ovkjy0wb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPmpiqndwqtv0u083rfou_txnbb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPok6c8m93hmvtndzxjofnz87rc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\pKSLKLNeI.bmp" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pKSLKLNeI.bmp" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 560 A0B5.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A0B5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI\DefaultIcon\ = "C:\\ProgramData\\pKSLKLNeI.ico" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pKSLKLNeI 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pKSLKLNeI\ = "pKSLKLNeI" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI\DefaultIcon 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2032 ONENOTE.EXE 2032 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp 560 A0B5.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeDebugPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: 36 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeImpersonatePrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeIncBasePriorityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeIncreaseQuotaPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: 33 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeManageVolumePrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeProfSingleProcessPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeRestorePrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSystemProfilePrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeTakeOwnershipPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeShutdownPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeDebugPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2032 ONENOTE.EXE 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe 2964 OpenWith.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3264 wrote to memory of 900 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 92 PID 3264 wrote to memory of 900 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 92 PID 3040 wrote to memory of 2032 3040 printfilterpipelinesvc.exe 97 PID 3040 wrote to memory of 2032 3040 printfilterpipelinesvc.exe 97 PID 3264 wrote to memory of 560 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 98 PID 3264 wrote to memory of 560 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 98 PID 3264 wrote to memory of 560 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 98 PID 3264 wrote to memory of 560 3264 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 98 PID 560 wrote to memory of 3312 560 A0B5.tmp 99 PID 560 wrote to memory of 3312 560 A0B5.tmp 99 PID 560 wrote to memory of 3312 560 A0B5.tmp 99 PID 2964 wrote to memory of 1144 2964 OpenWith.exe 111 PID 2964 wrote to memory of 1144 2964 OpenWith.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:900
-
-
C:\ProgramData\A0B5.tmp"C:\ProgramData\A0B5.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A0B5.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:3312
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2664
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{6D81A5B9-00AF-4283-9B1F-865EA2186115}.xps" 1337541977870500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CloseDisconnect.bat" "1⤵PID:2472
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\α½µ¼GKa╛2⤵PID:1144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ee9b6793e789425e982028899fe47322
SHA179639657c2438f5cd23fba16d190ddd4a48ef895
SHA256df7b7574ed186bcc305d6555f49f1f6c9cc1057e5cf52dfe0b5dd4959fcf6f58
SHA512c11818b42a054fc7caaccc407f86a6fbc145a5390ea67825367f6d1dcf081e019fb301e8864c0385c7634420b5c47fdc5121acf96d0d402f1156117a49fa1249
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
153KB
MD55dba51afce94807edc92c21d4f3fc5c6
SHA1cb2c5c28835847a4d024a28de17f9fac746a32e7
SHA2567f8b513e8639d5566fbfc09a8011b772a5b314b288123b1a67a370b52371db85
SHA512dc291cdb1c5a7948a23d9a9fa92cfc8ee53cd4f97a59303c5dc9870991772f6f54b11204d290028c7d51f23855316caa5a0a153c00c21a62945e7de5317449f9
-
Filesize
4KB
MD50bdc2148b28427fb95a47d14f8f8a9f4
SHA1cf78fd00a80b74d09265e55018425124ca716901
SHA2565e3e822c5b67a6b03f134a6e639d2b644b92306fb7718dc949298993488d7bb9
SHA512ca5dd7e76560982e1e4a17c140b0c46f7914e6995109e244b718eb179e811520a113afe3763a6f68a2a65611156265327519a0b98ecdc293675b3c1cca5546cd
-
Filesize
4KB
MD5d71fe7cc36faf6453a27f0be29fbabd5
SHA13c2915ae1a649a9d6ab6da555187ad792c0fc7da
SHA256eb98d0a18c3cadd634667af654a5743860ec756f439717fa6c8f1c7c4b40e71b
SHA5129d1db318b2ec43f52c956d26183a1271076cc57cdec090974b0d862cfee2ce73285f999e3fd790d50dc56160ab083375997fd5becd34286e303978b790ab0a82
-
Filesize
6KB
MD5dd746ace17e44ace00885b91400f11d5
SHA14a0302d2dca400598f396e4230fdae71779cbeaa
SHA256b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA5128ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1
-
Filesize
129B
MD525c32a0b18d3167694e7e62752123918
SHA18026d40f39357699daba192702dd8849614bb295
SHA25611d37a9396b2879c2c8957ad4cd1426ec71ee2965654f2e3bd1cdf029352fc6e
SHA5126d7b21137c02604bb20e115745dd9b24041d9c7c2163265eb81a6bf871b67e33e962d94e6cadc9addbb8f61392967c7445b0b94807134ae9d5aa5c4429b83f79