Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 12:23
Behavioral task
behavioral1
Sample
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe
-
Size
147KB
-
MD5
2dadaf10d507b44e7b561405d9227bc2
-
SHA1
5406d642422ca05857447ad82979d6d44c326834
-
SHA256
6dd44d852226fd9e7fc914c6edbaf185bfcaacdc7a4dcdb7268440e6fc811618
-
SHA512
0cbd90e6bc68e1052ecc22f90c9e3fbfccc796029e7ef9258f4d5f1b29dfe26c0a0f799b5a406a097c32e1beb27e3c1fdbd65ca67615d1e37f265874ddac2f11
-
SSDEEP
3072:G6glyuxE4GsUPnliByocWepHLamgTCsUd3Mh:G6gDBGpvEByocWeFLamg+NM
Malware Config
Extracted
C:\G3fEAZsSH.README.txt
Signatures
-
Renames multiple (583) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
949B.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 949B.tmp -
Deletes itself 1 IoCs
Processes:
949B.tmppid Process 4952 949B.tmp -
Executes dropped EXE 1 IoCs
Processes:
949B.tmppid Process 4952 949B.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP120l8sxk3gff0vu0f1lydbvod.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP46gxukoeldl35_twiuzj7y4n.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPuardaru3wvu4no8oqh3u8b5q.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\G3fEAZsSH.bmp" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\G3fEAZsSH.bmp" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe949B.tmppid Process 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4952 949B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\G3fEAZsSH\DefaultIcon\ = "C:\\ProgramData\\G3fEAZsSH.ico" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.G3fEAZsSH\ = "G3fEAZsSH" 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exepid Process 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
949B.tmppid Process 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp 4952 949B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeDebugPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: 36 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeImpersonatePrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeIncBasePriorityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeIncreaseQuotaPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: 33 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeManageVolumePrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeProfSingleProcessPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeRestorePrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSystemProfilePrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeTakeOwnershipPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeShutdownPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeDebugPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeBackupPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe Token: SeSecurityPrivilege 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE 4604 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exeprintfilterpipelinesvc.exe949B.tmpdescription pid Process procid_target PID 4512 wrote to memory of 4780 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 93 PID 4512 wrote to memory of 4780 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 93 PID 3368 wrote to memory of 4604 3368 printfilterpipelinesvc.exe 96 PID 3368 wrote to memory of 4604 3368 printfilterpipelinesvc.exe 96 PID 4512 wrote to memory of 4952 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 97 PID 4512 wrote to memory of 4952 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 97 PID 4512 wrote to memory of 4952 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 97 PID 4512 wrote to memory of 4952 4512 2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe 97 PID 4952 wrote to memory of 2636 4952 949B.tmp 98 PID 4952 wrote to memory of 2636 4952 949B.tmp 98 PID 4952 wrote to memory of 2636 4952 949B.tmp 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-15_2dadaf10d507b44e7b561405d9227bc2_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4780
-
-
C:\ProgramData\949B.tmp"C:\ProgramData\949B.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\949B.tmp >> NUL3⤵PID:2636
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3268
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C959188E-3292-439D-AE95-C76F799F8C52}.xps" 1335247345072400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58d5f7adca59dfd6c8ecd7cb2d5721865
SHA1febc9e9c0ce37866466e02cb43fc2a1916c1445b
SHA256915524a825c6ab8148b67e2c35f5009a6d9dba8198c82f75f58f0960c48a01ab
SHA5121ec78dc2a71307b461120c466a3efc803c31707edde6bc18adec76be4dc17effc9976a2ce360c934971c51b5e07d76ec113961b75f785c992270d7bcac2c117d
-
Filesize
1KB
MD5c27b4229efac6671942d30719e33225d
SHA1dfc06ec8ae7e1047aedc4e9f8f0c9e83ad69c507
SHA256ccb3796c65736cbb0e28cedc370b210f27dff6877cfb8cec85e75f151b48b630
SHA5125cf85171e683a5982930b047dbfe3278d896b2f146863668620a990003e3467313006fc3e7a139d84f02537a11b42571b7dc958465df8b8caad2091174f992a0
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD571ba59ad49314d0c71a9bc76e1d4b02a
SHA133dbdbf0c6233904781d398c10752fa861c82624
SHA256f57a130ceb40304d8b235322d0c9339d78722e1cb79a52ea6e14cffcdfeac1b6
SHA512332be5d08cf2ab72427cb861a39faf1cd26a73ebea83e1f5017ce03018c03878985eedd389e88db5b5cae98863af7379652874c6b70f5f79780b03088cdfaab7
-
Filesize
4KB
MD5463bb6a2246135694707ba3850d4cc33
SHA12ffa8a521e365ffd09ded14a2bf6c48841ccf928
SHA2564cb38e5751fbcca30bdfa84ed41efd1161ff56580d740e9276aeb366134d7504
SHA5128f9354650f860f51dabf350c371fd2fc81c3e348c10babd8c94514f0b5ad022fc7397d260e23f507ee91afa62e1049249a5a341443ea1ede71b5134002d5964c
-
Filesize
129B
MD58604f4612e9c09ca67f8d77ab18868d1
SHA164c4b3d7eb737915a8f249969b82ee6684b75302
SHA256283e56a4311396c2f126cee7d4ebed0adee8041552c4286431032d439a650106
SHA512e7c96be70a84966f7eeabb0a01edd0179cb28fe2935017323ad8c45d0df28534cf10decf6c4fa7567fee266657fd18505a93d5ff2f684cfea1af2e549633e16a