Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/09/2024, 06:45
Behavioral task
behavioral1
Sample
2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe
Resource
win11-20240802-en
General
-
Target
2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe
-
Size
147KB
-
MD5
20b0043ff680ffd554923069b7150b6a
-
SHA1
5f5caf42e317e617994069453fb1c8d86fd2f1ee
-
SHA256
879e3a5051e3d56eaac8056e91dd8dcd11433198c0fc40866bf074c16f333ded
-
SHA512
a0757ad09a010d4ba7f3b5558e0e232c1faf3ca4e7b83d343150beee2b5341b767cbaaf4a17d9f3bb0e8f76b9a20f9fddf05c37ff3cdbfb28168dcdff160da44
-
SSDEEP
3072:x6glyuxE4GsUPnliByocWepFsvLGJJC0iohCI:x6gDBGpvEByocWe3svLMJhr
Malware Config
Signatures
-
Renames multiple (590) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1436 D7A4.tmp -
Executes dropped EXE 1 IoCs
pid Process 1436 D7A4.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP5ttjyq56y506a2opxnrxk1vzd.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPoy7zs2d67b9hbasc5kwrt0lid.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPxt59zpyecgju_a4x08xs3i8p.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\N7prImOYL.bmp" 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\N7prImOYL.bmp" 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 1436 D7A4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D7A4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N7prImOYL\DefaultIcon\ = "C:\\ProgramData\\N7prImOYL.ico" 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.N7prImOYL 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.N7prImOYL\ = "N7prImOYL" 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N7prImOYL\DefaultIcon 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N7prImOYL 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1500 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 232 ONENOTE.EXE 232 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4492 OpenWith.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp 1436 D7A4.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeDebugPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: 36 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeImpersonatePrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeIncBasePriorityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeIncreaseQuotaPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: 33 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeManageVolumePrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeProfSingleProcessPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeRestorePrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSystemProfilePrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeTakeOwnershipPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeShutdownPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeDebugPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeBackupPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe Token: SeSecurityPrivilege 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 232 ONENOTE.EXE 4492 OpenWith.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3256 wrote to memory of 1308 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 84 PID 3256 wrote to memory of 1308 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 84 PID 2024 wrote to memory of 232 2024 printfilterpipelinesvc.exe 87 PID 2024 wrote to memory of 232 2024 printfilterpipelinesvc.exe 87 PID 3256 wrote to memory of 1436 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 88 PID 3256 wrote to memory of 1436 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 88 PID 3256 wrote to memory of 1436 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 88 PID 3256 wrote to memory of 1436 3256 2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe 88 PID 1436 wrote to memory of 2788 1436 D7A4.tmp 89 PID 1436 wrote to memory of 2788 1436 D7A4.tmp 89 PID 1436 wrote to memory of 2788 1436 D7A4.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-02_20b0043ff680ffd554923069b7150b6a_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1308
-
-
C:\ProgramData\D7A4.tmp"C:\ProgramData\D7A4.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D7A4.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1220
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{82C3DE6D-5166-4D72-8444-8F8BB16A805A}.xps" 1336973313589400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:232
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\N7prImOYL.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1500
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD53ffc22ab7109fed4d307c857faf289e4
SHA16285fefeb9391cea40fcc0422d13a05b95f28732
SHA25671a1bce120bc0421ff8aecdce3c7e41e73a572aafc19b4325bf5278b849dad77
SHA512c9ced6e2980aa6be8a0ba8e69928c71fc929ee468ffc701ed4742d3baca516e434f37c25f6ab0c0afd84f8a64eb6e4374dabd9ef6997536cee5341adbc2e283e
-
Filesize
1KB
MD5f85801533c317ea9eaebe2a49a3a8eac
SHA1bb69bd97d68aaec2d3ce5c6d895322374dc3ead1
SHA25645dbe45beb75f80f6e34bd00a7bd35970ded5acbbe2b4465884c9853e2b87e5b
SHA512c049ecfb09322a3439a5f6e2b463d60f9910a8ecc2e73754460153109eb630c06018bebaaea00c7db262e9d5756cc45835e803efc4caab9c961401107a0dd4c4
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD5ceb8ad2bd9a8ccee4030baba51b6ca2c
SHA1e212348474e0adfcb2787573efc00e7143074435
SHA256733120d18d058305e43effa80fee8eb4d3806f764844063e7365adf9b61eb050
SHA5125667389bcc97cc7cd21aa14defa94df21084f7101401f619b945ea4271e17caf5df57782dc6f8688e069d361ab1d49c9b0396731d1f6074151289c01f6dd5397
-
Filesize
4KB
MD57c118fd31094fc8e326f8359d707e6f5
SHA11ee8366386ba7f380ca7f515e83f645947efd071
SHA256832842522a07db59cd727ce3b099db8bd7a37bb0bb749beb9ce67eaef5aae84e
SHA5125a81fde1116d80877013e2997baac0f481bc61455ff63eccbdfc4ebd511c4e89c76bc6c03218c0d1c7a1fad782ae4c76ee78848b3261ab013427f8bca4ffe68b
-
Filesize
129B
MD512fdf8bbe411647f288dc9fa442193d4
SHA12ae7d735a94d659c1b4f2a631045da0063e153c1
SHA256cad03765d8d60a46bee6a85e3497f096771011ce20212d50ef33b06df48b9d78
SHA5125bae6986fa66a593ecc9a365c5276e54411903c9577bcea4d83384c97b40bb76e21c4b92456503c29ddefb491d5854859c3c68530287ae680bc7c3e54d4077e1