Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 11:25
Behavioral task
behavioral1
Sample
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe
Resource
win7-20240221-en
General
-
Target
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe
-
Size
146KB
-
MD5
0f9efaba9a13338ad97e0e6ef2aabd6d
-
SHA1
97db912c8f0055152837e424cd8764f905a29930
-
SHA256
d82aa76842e45325dd2b665ae410f91dfeb8fd2f9bc6449630090f3bac0c95b0
-
SHA512
c8ab75ae0046c1c33f1141d1d85aeae9eaf4952f8cc9bb6993c0d29bd8f67c7a1430339020b4652ee399899f1c993c34feeeef54bfd0c37fa56825437f85149a
-
SSDEEP
3072:g6glyuxE4GsUPnliByocWepRdJxGkpV4wTwAY:g6gDBGpvEByocWedG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E1FF.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation E1FF.tmp -
Deletes itself 1 IoCs
Processes:
E1FF.tmppid Process 1068 E1FF.tmp -
Executes dropped EXE 1 IoCs
Processes:
E1FF.tmppid Process 1068 E1FF.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP6sypmdtk70dg2vs608osnvgb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP21ucnwauhbhm5ye6ee5dirrpb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPqp6tsrgdu7kkojryn2qsnahi.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exeE1FF.tmppid Process 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 1068 E1FF.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies registry class 5 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon\ = "C:\\ProgramData\\hokwnrPwS.ico" 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hokwnrPwS\ = "hokwnrPwS" 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hokwnrPwS\DefaultIcon 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exepid Process 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
E1FF.tmppid Process 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp 1068 E1FF.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeDebugPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: 36 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeImpersonatePrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeIncBasePriorityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeIncreaseQuotaPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: 33 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeManageVolumePrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeProfSingleProcessPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeRestorePrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSystemProfilePrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeTakeOwnershipPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeShutdownPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeDebugPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeBackupPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe Token: SeSecurityPrivilege 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exeprintfilterpipelinesvc.exeE1FF.tmpdescription pid Process procid_target PID 4908 wrote to memory of 224 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 98 PID 4908 wrote to memory of 224 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 98 PID 4908 wrote to memory of 1068 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 103 PID 4908 wrote to memory of 1068 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 103 PID 4908 wrote to memory of 1068 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 103 PID 4908 wrote to memory of 1068 4908 2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe 103 PID 1640 wrote to memory of 2588 1640 printfilterpipelinesvc.exe 102 PID 1640 wrote to memory of 2588 1640 printfilterpipelinesvc.exe 102 PID 1068 wrote to memory of 1748 1068 E1FF.tmp 104 PID 1068 wrote to memory of 1748 1068 E1FF.tmp 104 PID 1068 wrote to memory of 1748 1068 E1FF.tmp 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-04_0f9efaba9a13338ad97e0e6ef2aabd6d_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:224
-
-
C:\ProgramData\E1FF.tmp"C:\ProgramData\E1FF.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E1FF.tmp >> NUL3⤵PID:1748
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:696
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C848788D-A8C1-49B9-8883-9E633DD4FA4D}.xps" 1336197400841200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD56a8677aaa5001baf4577b88f6d32cf6a
SHA1d8f0a1c503ae5af987b15ce249382e5c57921de3
SHA25604607838cd69e90a942b2ae46e0761587f71aeab9332f86e6a05ec68c29cba77
SHA5128163fd0c842e1bc182ff92a1b6de3604c9365bef8be87de9c2a01d59c0704ab7c605a4a0c00e869a9dbbbb5ee70de16f8e0976365438a7ea56a3ef4dee0cff1d
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD52685b34f7afa8fa9371bf4a3261a38f9
SHA1169dcd1f246e867fd8c411551cd9046263f39561
SHA256703e3cdf5762ff12b7fec10d86ce0315922c4e6d41c31634d82a47e4e010ea2e
SHA51247b3876fa0091a045ba9c28cbc194d828aee18c46c8ce6350748d0aac34d2c5e0d3173611c9946ed4bb6463740a0ed79662d805569bbf7a9e743ee2c13b67453
-
Filesize
4KB
MD54e5155d688c69ed027047e2ebaa820c7
SHA114ef45b4e0db99b695122607c6ec7636ee953e00
SHA2569aa55ce1e16e02ce26f3c2fee0a6a89660ef275f32ec00d23004d6aa7eaba251
SHA512c3bd636d6a50b3aef17607491b95a673c0fa6e36efadec4494ba0c4e5d7792082b8ee79680809b00ea8a85d752c832ff08ae5ec08402ba8afc758db07f4116b5
-
Filesize
4KB
MD5418f776359a78be1efec7bc9dd2d0e21
SHA1eac2e7ce4f64bfb329000e090484eaf561391896
SHA256afd65ad983a99ef2912d5f36f06c246707a37fbbbb00732c36e5d9ee82ad1352
SHA512cf24cccbf53c8b207691c3551bbb4a7991394ea1f5db3f92caca9d009bab1522a7aaa79fab3b69f78113d414cf912efb1448aabe3877f1254242a7296693d26a
-
Filesize
865B
MD580ce254bf1170938cb7d41f5a98bf0ad
SHA1f8eb2e6395f16c206d32d5fefccd4f7419324bc9
SHA25636b49a373e27694fa1be03e9557ef503c0e436289de49ff59718f19c4131f4ea
SHA512d1f065109ef0aaa0a57a58bc2018e5042bda9883e584520943c4a8ef0b3d424d88eba0f69b6d29fb92a52837d388f0ec31136d3c79f07469eaaa811976db86f7
-
Filesize
129B
MD54a7728340f3a480aaa43900ee4cdf7a3
SHA1c9b1ca7ecb23dbd9aaaa93e280e6bac9bc66b7e0
SHA256714c247ba739d12a9d0125dee19aea156844050e1a4abeca93e6505c169fc407
SHA512fb0d7923939c749c2a3a1617606ee3e526f4914f05064443ada59ad36d34f6d924e4ba086c313ff8cfad4128c6a606db3b972a3cee69d6da94bcbcb7edbed67b