870da2dea3d586ccaa3230464b910704460f354afdd417587a167735e478b0be

Analysis

max time kernel
91s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Size

145KB
MD5

407ce6cf7b3ca16443b0b5eb49c01b3c
SHA1

4c7a95bc4e92110f8ec7e050fb2c6f519f94dcc0
SHA256

870da2dea3d586ccaa3230464b910704460f354afdd417587a167735e478b0be
SHA512

a5aedc10cf1e7abf1491b7a680f5ecd2b07975fc2d0f859f4f277ff55b8899fd0402e949a81c20b660026a28a24565f2119386ed3e882886f2141a904fa0cb34
SSDEEP

3072:yqJogYkcSNm9V7DMr3lW1mOXY6pcphw9k8nT:yq2kc4m9tDOqno6pb9k8

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (608) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E3D9.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	E3D9.tmp

Deletes itself 1 IoCs

Processes:

E3D9.tmp

pid	Process
1012	E3D9.tmp

Executes dropped EXE 1 IoCs

Processes:

E3D9.tmp

pid	Process
1012	E3D9.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP81_8j3s260k13v41csrlk1df.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPzz00qs1tkl0f0cmxzu0t9e74.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPssa6ub0f_10bn120b_cioci0.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

E3D9.tmp

pid	Process
1012	E3D9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe

pid	Process
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

E3D9.tmp

pid	Process
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp
1012	E3D9.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeDebugPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: 36	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeImpersonatePrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeIncBasePriorityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeIncreaseQuotaPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: 33	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeManageVolumePrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeProfSingleProcessPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeRestorePrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSystemProfilePrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeTakeOwnershipPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeShutdownPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeDebugPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeBackupPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
Token: SeSecurityPrivilege	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE
3728	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exeprintfilterpipelinesvc.exeE3D9.tmp

description	pid	Process	procid_target
PID 4968 wrote to memory of 1400	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe	88
PID 4968 wrote to memory of 1400	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe	88
PID 4968 wrote to memory of 1012	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe	91
PID 4968 wrote to memory of 1012	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe	91
PID 4968 wrote to memory of 1012	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe	91
PID 4968 wrote to memory of 1012	4968	2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe	91
PID 3960 wrote to memory of 3728	3960	printfilterpipelinesvc.exe	92
PID 3960 wrote to memory of 3728	3960	printfilterpipelinesvc.exe	92
PID 1012 wrote to memory of 1676	1012	E3D9.tmp	93
PID 1012 wrote to memory of 1676	1012	E3D9.tmp	93
PID 1012 wrote to memory of 1676	1012	E3D9.tmp	93

C:\Users\Admin\AppData\Local\Temp\2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_407ce6cf7b3ca16443b0b5eb49c01b3c_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1400
- C:\ProgramData\E3D9.tmp
  "C:\ProgramData\E3D9.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E3D9.tmp >> NUL
    3⤵
    PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:388

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{BCC70066-901E-408F-B15C-843B91DEC59D}.xps" 133651286550250000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\AAAAAAAAAAA

Filesize
129B

MD5
5a0ae0f8b506bff0b40b70bb16d41560

SHA1
0af0768bb64e8b5620f397e93f2d136eb694ce53

SHA256
363545638828b0296fc25992421d8b8fe2532b43cd5f882da6cb59711d331c17

SHA512
622b88e8768565f9d3b6b86b7f1b890a4345c28995a164881de8410cea1e1e0142ced7935ae86d6899ded7ad62bc275dfdb2ea12d2267c695310b89efedc7792

Download Submit
C:\ProgramData\E3D9.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Filesize
145KB

MD5
b078778326dd22c9d70409aeb69b5c7f

SHA1
d32e14ac1ce6053c646231893799101973bfeefd

SHA256
31cde244ed7495301da51de661cb0ed8d29871e8bf637682fdbf6be307017290

SHA512
528ef1030c1d3e3e9d2d1895846b5567430c5945df75ed27fad971bb745070d061e8ec48c132e2d847cc047d9ab77e97bc09c2b76c08dd05bf55ebf8079a9f6b

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
3c087befcb0c9f2bc826126112bacbf9

SHA1
f0c458f42d4371f23a2a5ea20117014364e8ad7e

SHA256
b129ed463d32b96c2a2c35371d74da720b380a5700e2f8dbc0426a1d546c855b

SHA512
6d810cb91b6c0daf10d3fc98d28df1a42c27900005cb307044e38f964c8d6b1d762b95fde79a1b81aed2a39631c5b22247883e86931df7cb3e16ba4f0fe36a2a

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
30e2689290d95c71fc266863e9008573

SHA1
530a33de261f4be547f0632e1ee302a1e61f93a7

SHA256
3a27d4206a7862957f2659fe55258cf0689d8f4de1d1d98631448acd97d6b8fe

SHA512
46c05fdf64db142e738e6ef7ad913f8e452509df38f4bfc228598ef3e61b124ccee80d7d578545d39c3035d3bd3b9081de959cef6b0ba7e3e7c718259a847782

Download Submit
C:\Yv70tJwEA.README.txt

Filesize
316B

MD5
4622f25d3fceae1edd56b7987487fe4a

SHA1
d59ac93d8974ec768b5f4523a9e3997bafa03c7a

SHA256
acb4289e08f9a0acd9c54b4d082e71bdca27e5a04ef548698844c53a27d4128a

SHA512
744ee4f73931190c4229fb5140d40c2c33e8477f484e1815cd4a71cea0981b48bf7c20bf70697e0dc4d1f68c065f6e8f0b97849d78b2e0ec5aadbedb6c62f483

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2990742725-2267136959-192470804-1000\DDDDDDDDDDD

Filesize
129B

MD5
df72fc0821b8171adbba746318430550

SHA1
c13fcf2e521d542f82335c9ff936ae9279c6e183

SHA256
dddf791f8b7873047b2205d319c4eb6cdbdf13755cf9e62ef48a81e68ff100c6

SHA512
c70b47ca7d049725b91011cb5bcb531202639bc76b0352e538d57b2eac6de974a00dc672fe589c005ae5c3ff936d9ade3259c7822caeb55b54a1f6266aa19ece

Download Submit
memory/3728-2821-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/3728-2818-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/3728-2820-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/3728-2838-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/3728-2839-0x00007FF8FAC50000-0x00007FF8FAC60000-memory.dmp

Filesize
64KB

Download
memory/3728-2840-0x00007FF8F8970000-0x00007FF8F8980000-memory.dmp

Filesize
64KB

Download
memory/3728-2841-0x00007FF8F8970000-0x00007FF8F8980000-memory.dmp

Filesize
64KB

Download
memory/4968-2-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/4968-0-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/4968-1-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download