Analysis
-
max time kernel
126s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 17:33
Behavioral task
behavioral1
Sample
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe
-
Size
147KB
-
MD5
66b3e535355102fd0cede6506739e474
-
SHA1
5a20c4d8bbb2495c817c92cfa060a6a235e6ed36
-
SHA256
9b3cd385077933c2a72cba58d23dcde77852818c3ce1a361baa5c6bbd915b82f
-
SHA512
f11bd1ed1f2f601ed5db353ff2f85982b3218e3a60f6d58c8f5f5a23df7560fce8fd67da37fe7ef6bc31de2883eb17c2389a1195820968562740a0e46c1569e6
-
SSDEEP
3072:T6glyuxE4GsUPnliByocWepjUeRBGYENO6g:T6gDBGpvEByocWexUeR0Y2N
Malware Config
Extracted
C:\NupqqeiS5.README.txt
Signatures
-
Renames multiple (579) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8B88.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 8B88.tmp -
Deletes itself 1 IoCs
Processes:
8B88.tmppid process 1160 8B88.tmp -
Executes dropped EXE 1 IoCs
Processes:
8B88.tmppid process 1160 8B88.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP8jj73szlaimy_5208wggvud2d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPjoe_ihtvy1g7rsabt4v07p_tb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPsggdne2sy8zuainzzq6_70pf.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NupqqeiS5.bmp" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NupqqeiS5.bmp" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe8B88.tmppid process 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1160 8B88.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon\ = "C:\\ProgramData\\NupqqeiS5.ico" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.NupqqeiS5\ = "NupqqeiS5" 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NupqqeiS5\DefaultIcon 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exepid process 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
8B88.tmppid process 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp 1160 8B88.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeDebugPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: 36 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeImpersonatePrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeIncBasePriorityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeIncreaseQuotaPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: 33 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeManageVolumePrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeProfSingleProcessPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeRestorePrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSystemProfilePrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeTakeOwnershipPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeShutdownPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeDebugPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeBackupPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe Token: SeSecurityPrivilege 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE 2496 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exeprintfilterpipelinesvc.exe8B88.tmpdescription pid process target process PID 1792 wrote to memory of 3168 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe splwow64.exe PID 1792 wrote to memory of 3168 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe splwow64.exe PID 3056 wrote to memory of 2496 3056 printfilterpipelinesvc.exe ONENOTE.EXE PID 3056 wrote to memory of 2496 3056 printfilterpipelinesvc.exe ONENOTE.EXE PID 1792 wrote to memory of 1160 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 8B88.tmp PID 1792 wrote to memory of 1160 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 8B88.tmp PID 1792 wrote to memory of 1160 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 8B88.tmp PID 1792 wrote to memory of 1160 1792 2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe 8B88.tmp PID 1160 wrote to memory of 1664 1160 8B88.tmp cmd.exe PID 1160 wrote to memory of 1664 1160 8B88.tmp cmd.exe PID 1160 wrote to memory of 1664 1160 8B88.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_66b3e535355102fd0cede6506739e474_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3168
-
-
C:\ProgramData\8B88.tmp"C:\ProgramData\8B88.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8B88.tmp >> NUL3⤵PID:1664
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3184
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5D406187-31C6-4183-83E1-734BB85DB859}.xps" 1335482479713200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c5a51ecac1fe2b0bcaffd5b4500bbd85
SHA17040dd609f5541e72b06dd682d1040f97c30ae56
SHA2566b27efc22de613a15c72dd80a03cb85ed394799915c1e65df42c2b6f97e4f55b
SHA51298a27a50a52dca6e212fd8decb3710255d6b16b38c33d9ea4bfb0f400180fd0e8c13ed582d3d64efb57a5f023cf7854903be7d7ccd614a4ba3d4a25ce24beb88
-
Filesize
1KB
MD5fb07c785132ffb451b7865b5f8be8793
SHA16ef563addf7aa1bc0a99b70a621bd7ba430a9412
SHA256369475944802faa69d76362094571070a549f9153e29cf5d54e5fd34e36ca0bd
SHA51292f1dadc9de8a3dd1aee9b5310b66ca9d98b26e587cf298e8967995fb2974a842c57e4c1d3458575a1890997cb62151ebbfce679c520f9868ec2d6ffa022f8fc
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD5efce452d69e6ffcfd5eccc5db3b68344
SHA1eca01aab9ff22bb85acb893ad74a7bb3292811d9
SHA256ca1f05b947b40db800463bb6635b8a04b2d3525668f7454b4a8c63df42000fcb
SHA512d26d925ec5f878044041d4a49926828da9d43078b56c641dc73c5ca9f7747c08e99773042f2f0ea7b9a664ded3ef800f436c0fd163c30877c77af1b9e91774f8
-
Filesize
4KB
MD5c41baea6784546eee8bd713bf1945a02
SHA16194c32db6cdca0a87ea90d9934d3914e758f1a9
SHA256fbec759ab01c14f3890fffaccc219e144e4d2b0fcbb2faf678bae70553ea813a
SHA512960bfb4fc1137a9944094d21e71d9d270d9347815418c40cf657ad4ab03f9a5591418d3afd0631eb416d8ff869f485e41a51bbbc7fec1797ee2e5fcc00c4cb97
-
Filesize
4KB
MD5339ae20457a4d7856c69b65096a39df9
SHA185ee28a115d8a431767305d0059f0c9d8f726209
SHA2560d5f1aba7d2329bc69271a0de49c995c4693e5f7f9facec790787329c6ef33b6
SHA512cc291e99dcc5b9a7fb5f0f0bd7ad6935c69126e918b23d8814f6d5ab32bc47377e3fbabc81adb6336aed40c0208a6c1536c5d6e68fd5ca4e6921b2c5d1efa4dc
-
Filesize
129B
MD5a08dffe66a3c954418b270007104dcc5
SHA1c24ad9e8583e637e15054cce6cf5e1812be086d8
SHA256282fe4450e53d463fe5a4c3472ea8a6317514503c944f2be923a1c4fca5a8a02
SHA5123f972f721900a6aa6e90f2b161f3bb4baf4ae9d818e8a7fc5d056815c67d980f0b83837dbaaed8f5d4d9f12325b2f17a16e459b4248e534e24ce848fbe178d1f