86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498

General

Target

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Size

194KB
MD5

ae811bd6440b425e6777f0ca001a9743
SHA1

70902540ead269971e149eaff568fb17d04156af
SHA256

86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498
SHA512

3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e
SSDEEP

3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (625) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

B969.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation B969.tmp
Deletes itself 1 IoCs

Processes:

B969.tmp

pid process

8 B969.tmp
Executes dropped EXE 1 IoCs

Processes:

B969.tmp

pid process

8 B969.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	B969.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\PPn2yx3qdikrp0ot686n1b6960b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP823z7bl0fo3yskmylya3i6shc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP54qbiiyvxmt7tv_qaqbozuhgb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\kZd6jLIwz.bmp"	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\kZd6jLIwz.bmp"	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exeB969.tmp

pid	process
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
8	B969.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kZd6jLIwz\ = "kZd6jLIwz"	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kZd6jLIwz\DefaultIcon\ = "C:\\ProgramData\\kZd6jLIwz.ico"	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

pid	process
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

B969.tmp

pid	process
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp
8	B969.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeDebugPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: 36	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeImpersonatePrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeIncBasePriorityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeIncreaseQuotaPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: 33	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeManageVolumePrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeProfSingleProcessPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeRestorePrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSystemProfilePrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeTakeOwnershipPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeShutdownPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeDebugPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeBackupPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
Token: SeSecurityPrivilege	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE
2304	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exeprintfilterpipelinesvc.exeB969.tmp

description	pid	process	target process
PID 4140 wrote to memory of 1972	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe	splwow64.exe
PID 4140 wrote to memory of 1972	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe	splwow64.exe
PID 3556 wrote to memory of 2304	3556	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3556 wrote to memory of 2304	3556	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 4140 wrote to memory of 8	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe	B969.tmp
PID 4140 wrote to memory of 8	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe	B969.tmp
PID 4140 wrote to memory of 8	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe	B969.tmp
PID 4140 wrote to memory of 8	4140	2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe	B969.tmp
PID 8 wrote to memory of 2188	8	B969.tmp	cmd.exe
PID 8 wrote to memory of 2188	8	B969.tmp	cmd.exe
PID 8 wrote to memory of 2188	8	B969.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ae811bd6440b425e6777f0ca001a9743_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:1972

C:\ProgramData\B969.tmp
"C:\ProgramData\B969.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B969.tmp >> NUL
3⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2204

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3556

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9867419E-9D5A-47BE-A4E2-04677205B17C}.xps" 133584317293790000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini
Filesize
129B

MD5
0a47ce4b81a98bfc0c8c950baed6bca3

SHA1
4c664f8468331b00162de44956a4680e27e6cbc6

SHA256
34184bda6f5328f2a2ada5ad4fa71053ea0565e749de6b7c93282262fc1694d5

SHA512
79fa7dd7c139ff0e8c824a9579fbb4a96ef5ae1ba716c016700862d3e9b6d7c6edf3784e85aba5dc08f0ca828d83585d09d7eba497ba159444526e4c81ec8393

Download Submit
C:\ProgramData\B969.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
194KB

MD5
420c49b1e1069943cd87f9457bf833eb

SHA1
171e0c16111a5f0638b87671b19cd4d661710262

SHA256
5e81d14131ccfa74bfc4b57cb75c9d6b3a109cc6790294176b2a45709fc24da0

SHA512
1f1e512ab7439bad3c16401dc2d71125db165e0d5a90113703b8d714a41b9f5c30faea0b4d68efca8957ff11375cfee71c01b96f868a26cfe049db37dc57ea1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2D23697B-07D9-40D5-8E31-C15B582C8E1A}
Filesize
4KB

MD5
8e4c8cce6de823a598457cc15c949388

SHA1
4c5db7bce167bd0b3d06623f17e01ca75b6fc7d5

SHA256
ab80933b811abac720b11a7c76c258312f07600f1c0be7e32084d495ea9359c0

SHA512
6577c93586b818d75119a466a5e574dde5609d9dd8fa9a1f049220f3a468035bd7a0026e2661b421d2cc299001fe322b40f636239859edc189e716d05541459f

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
Filesize
4KB

MD5
b6af810480d082f531080f72e91a1b97

SHA1
3d04fd24d962fbff3358ca174772dd7915978a8b

SHA256
6404c582ce961e576ce6e7c9c36d2ede641313c208661188d04517fbfad00ece

SHA512
f09bd198d59053be70b8198d6834b26d4104c8522875db8b1adef8ff835f636ef157807afeecbe6995d0cbab46be0ea6bbc0b0f6b41c39b7bd9eb05d22d2d8f1

Download Submit
C:\kZd6jLIwz.README.txt
Filesize
449B

MD5
c2f46db865b0ba6ef8f9385cf458a56e

SHA1
0b2f94fcf38ef15f59bb86a3296b7da514b4ac4e

SHA256
c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe

SHA512
9927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\BBBBBBBBBBB
Filesize
129B

MD5
d81d8c35e7d484bb7f85c264ed071e3e

SHA1
826f6c62281a31b379987a80788a30a2f7b5c572

SHA256
eea2d0f74b9b577a485a2dd07b93ac7fd67d4805efb18a43f3effeaa261bea48

SHA512
faf2c7de3ac14f6d1d699a640dc65e005c69fb02537306cb572a0d5d939bd11485b03a59bdf125a2b9e3c634d589de964aa481360138a809c5eaf556fb811e11

Download Submit
memory/8-2873-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/8-2869-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/8-2868-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/8-2867-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/8-2866-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/8-2865-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/8-2870-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/2304-2820-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2822-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2825-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2826-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2829-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2824-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2304-2832-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2833-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2834-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2835-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2836-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2823-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2821-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2304-2819-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2304-2899-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2818-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2304-2817-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/2304-2898-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2871-0x00007FFC2B8E0000-0x00007FFC2B8F0000-memory.dmp

Filesize
64KB

Download
memory/2304-2872-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/2304-2874-0x00007FFC2B8E0000-0x00007FFC2B8F0000-memory.dmp

Filesize
64KB

Download
memory/4140-2804-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/4140-2803-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/4140-1-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/4140-2805-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/4140-0-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads