2925e11520e3d009f092fada3a10cf9ece1a22388a56d7a4c1571522d9b62af4

General

Target

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Size

194KB
MD5

e5688a4c13bed28637fd22bb920e1b86
SHA1

c4e491d4611e7c50904164c0f9f0ff232cde04da
SHA256

2925e11520e3d009f092fada3a10cf9ece1a22388a56d7a4c1571522d9b62af4
SHA512

ce21d161bb7aa31a6abbbaece080138c530bd0d5bcf28e8d70c4bc33374a396e8a97cc429e0c3791afc4c4368d6e8061bcd6ef38d77ae0cc9ad32dfbdf685168
SSDEEP

3072:56glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:56gDBGpvEByocWeubV4inP9B

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

D1E2.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation D1E2.tmp
Deletes itself 1 IoCs

Processes:

D1E2.tmp

pid process

3248 D1E2.tmp
Executes dropped EXE 1 IoCs

Processes:

D1E2.tmp

pid process

3248 D1E2.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	D1E2.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP68ao_0ljxx01ppoxffly1sllc.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPfdhvlar1y0mctsrlzu1nvm0y.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPazb1xx5gopufs8ztzig0qndpb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exeD1E2.tmp

pid	process
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3248	D1E2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk"	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

pid	process
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

D1E2.tmp

pid	process
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp
3248	D1E2.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeDebugPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: 36	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeImpersonatePrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeIncBasePriorityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeIncreaseQuotaPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: 33	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeManageVolumePrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeProfSingleProcessPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeRestorePrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSystemProfilePrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeTakeOwnershipPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeShutdownPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeDebugPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeBackupPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
Token: SeSecurityPrivilege	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	process
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE
748	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exeprintfilterpipelinesvc.exeD1E2.tmp

description	pid	process	target process
PID 3296 wrote to memory of 1452	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	splwow64.exe
PID 3296 wrote to memory of 1452	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	splwow64.exe
PID 1416 wrote to memory of 748	1416	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 1416 wrote to memory of 748	1416	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 3296 wrote to memory of 3248	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	D1E2.tmp
PID 3296 wrote to memory of 3248	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	D1E2.tmp
PID 3296 wrote to memory of 3248	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	D1E2.tmp
PID 3296 wrote to memory of 3248	3296	2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe	D1E2.tmp
PID 3248 wrote to memory of 5016	3248	D1E2.tmp	cmd.exe
PID 3248 wrote to memory of 5016	3248	D1E2.tmp	cmd.exe
PID 3248 wrote to memory of 5016	3248	D1E2.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_e5688a4c13bed28637fd22bb920e1b86_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Drops file in System32 directory
PID:1452

C:\ProgramData\D1E2.tmp
"C:\ProgramData\D1E2.tmp"
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D1E2.tmp >> NUL
3⤵
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:820

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{AE87397B-6E6A-444C-B262-1DF39A2FAA85}.xps" 133586512840720000
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3992 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini

Filesize
129B

MD5
83572690647df13ea0648f897588b27b

SHA1
a998a5a361d399d76d143fffbaa0b8f8661426fc

SHA256
15713e967672f0713b0cfb1b8813d470fdff3ee6e54e29e3a0dbc43455bc6aba

SHA512
518b57b0fa14aa6e8253e5f0f06aa89cd3206f4634b6122c91b0b1ca9522f63545a849685128e8e9bfa02e48ea8b5736433e7eec89196409fafff117ca6cfbd6

Download Submit
C:\ProgramData\D1E2.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Qs2QSInbk.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
194KB

MD5
fee5aa48eef0d1c32f620174b439bfc0

SHA1
388b82fe0f394b37fe5f21682d4c52d0258768f4

SHA256
4da5ac3f960a9d63dfcc683e657beac8fb8a7223f4f4a157c18707f444cb5062

SHA512
619a8b18be3062de829c5262525ecbccead535a01d322abdc3962e3be5143ce2b9a0fc528644f1d85c01dad95e939f6dae872fd81bcfa0c7e4552a6b997ddbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2C36EA22-FC0F-4618-BF96-4CF370E11B93}

Filesize
4KB

MD5
87e272f7bf2dacf46761a3a6ea69be5b

SHA1
30a033149d2ef3240da88bb71048209011156a04

SHA256
199b63a8a14b58219d800623088e2bb9ea7d2894c45f1bfcfacee2c73df127bf

SHA512
2f24cbbfb065d208ef99df830a008eb34217667b5f28894470a7f3fdc878866858f7546bfb3b47e5514e55a456359e56600d9beaa9def0ae94578c2139aa4700

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
a0bc92e7110ad22d95be3a11ffe05306

SHA1
46a1a3a3a1131895a60a1b1e16a79a19b8d6b0c4

SHA256
93191062c8e8a1fab6c19683679d91bb37c5a1d68123aacfc78406435ee4bb08

SHA512
ac44205bc7ff07b6ff7ed1c96519add424ab43814fa6454c32a96b2d85c22e17b8c8e599dbaf0d32d684bec4bcd42ec017bee779e5435cd762e2e3f858fb70af

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD

Filesize
129B

MD5
0ea594182bc95c123491a85777181729

SHA1
038db73b51bdaecf9f77fd7b6d6273f972f95597

SHA256
b0d6ebadaf753f6e6af8a1861d6e3fb54bb3f894706fde7c952289709147c359

SHA512
9c6123045cdf2b1552181897e6c7351582acdf9303b40b174ea48f6ae6607da988876c637dd51d4a8b17ad380c6e810ddca8c0239b5dfc4487e3a0797f366de3

Download Submit
memory/748-2848-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp

Filesize
64KB

Download
memory/748-2850-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp

Filesize
64KB

Download
memory/748-2849-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp

Filesize
64KB

Download
memory/748-2851-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp

Filesize
64KB

Download
memory/748-2852-0x00007FFD62A90000-0x00007FFD62AA0000-memory.dmp

Filesize
64KB

Download
memory/748-2885-0x00007FFD60A30000-0x00007FFD60A40000-memory.dmp

Filesize
64KB

Download
memory/748-2886-0x00007FFD60A30000-0x00007FFD60A40000-memory.dmp

Filesize
64KB

Download
memory/3296-0-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3296-2836-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3296-2835-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3296-2-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3296-1-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads