3934455289f9b1a4d37c785c89e8c177c58e20406e6f1a825b3b2ae19d665da2

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Size

146KB
MD5

04e651e75deb8edc024b8295532f5d3f
SHA1

d8660e404e98db706ae3b74fbb04d08a2ac7130b
SHA256

3934455289f9b1a4d37c785c89e8c177c58e20406e6f1a825b3b2ae19d665da2
SHA512

b1b46d0fb381ecb15aff708c0751cff95992b15d897602cc119590f6c1ce13b2e88b8c862dfc1e8bdd8c7b96a5eb3bb0eafb2f3b0a2e8485dd2257888cb19b6f
SSDEEP

3072:mqJogYkcSNm9V7Db/aSG5HF5v5pANOhKT:mq2kc4m9tDvQHF5Xt

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\HdbtqCuyh.README.txt

Ransom Note

[Your Files Have Been Encrypted] Hello, Your files have been encrypted with strong encryption algorithms. To regain access to your data, you need to follow the instructions below: Do Not Attempt to Recover Your Files: Any attempt to recover your files using third-party tools will result in permanent data loss. Pay the Ransom: You must pay a ransom of 1 Bitcoin to receive the decryption key. Payment must be made within 72 hours to avoid data loss. Contact Us on Telegram: To get the payment details and further instructions, contact us via Telegram at @BIBIL_0DAY. Decryption Key: After payment is confirmed, we will send you the decryption key and instructions on how to unlock your files. Warning: If you do not contact us or pay within the given timeframe, your data will be permanently lost. Do not attempt to contact us via any other means. We will not respond. Your encrypted files are your responsibility. Telegram Username: @BIBIL_0DAY

Signatures

Renames multiple (581) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A019.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	A019.tmp

Deletes itself 1 IoCs

Processes:

A019.tmp

pid	Process
2932	A019.tmp

Executes dropped EXE 1 IoCs

Processes:

A019.tmp

pid	Process
2932	A019.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPxr5n2ji2pd0aq_9aeypfw0add.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPy9i0oyr2n72m0tlog0a50t6ce.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPqr5c30unaat2a1h0k81cwl7dd.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

A019.tmp

pid	Process
2932	A019.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exeA019.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A019.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe

pid	Process
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

A019.tmp

pid	Process
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp
2932	A019.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeDebugPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: 36	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeImpersonatePrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeIncBasePriorityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeIncreaseQuotaPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: 33	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeManageVolumePrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeProfSingleProcessPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeRestorePrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSystemProfilePrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeTakeOwnershipPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeShutdownPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeDebugPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeBackupPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
Token: SeSecurityPrivilege	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE
3248	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exeprintfilterpipelinesvc.exeA019.tmp

description	pid	Process	procid_target
PID 2728 wrote to memory of 5084	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe	92
PID 2728 wrote to memory of 5084	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe	92
PID 4884 wrote to memory of 3248	4884	printfilterpipelinesvc.exe	97
PID 4884 wrote to memory of 3248	4884	printfilterpipelinesvc.exe	97
PID 2728 wrote to memory of 2932	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe	98
PID 2728 wrote to memory of 2932	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe	98
PID 2728 wrote to memory of 2932	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe	98
PID 2728 wrote to memory of 2932	2728	2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe	98
PID 2932 wrote to memory of 4592	2932	A019.tmp	99
PID 2932 wrote to memory of 4592	2932	A019.tmp	99
PID 2932 wrote to memory of 4592	2932	A019.tmp	99

C:\Users\Admin\AppData\Local\Temp\2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-10_04e651e75deb8edc024b8295532f5d3f_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5084
- C:\ProgramData\A019.tmp
  "C:\ProgramData\A019.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A019.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:456

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CAA9395D-7081-4C73-A99E-01FA3FAFA603}.xps" 133704386056970000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\BBBBBBBBBBB

Filesize
129B

MD5
0cd2fb1cfa0662df09e3acb99f83f74a

SHA1
08c6a6d9b89f9b52bd34a903f74f195ac9e096fc

SHA256
a9442981f20af56668adc52b97f14cd43159d625ed530404e9d2a29bc90010a6

SHA512
ddef27dcc28de07eb2dea5339f25dbb21d660c215f5ac7ef16899a7a8690814732a63cbd529eacaa0668b9da3e9fd94657ba34f693dbce785833725db4b35134

Download Submit
C:\HdbtqCuyh.README.txt

Filesize
980B

MD5
751940dccf55d21d7dcb7b8e614154d9

SHA1
5ef19237b4aaede4e95992356b2ec1481c1d8253

SHA256
875eafed5ef1785ec9cbd071d039aea59a1cfee0b62a0105d9b57118860ceac5

SHA512
afcfb8806c17fcdf1e1160a92719a79617ce4c4f6339c412bfaa3cfade6d290e2ecc936bec9f30b631ecef304744caa2e2a1a3f89e4e4e0f705fe6882e3236ce

Download Submit
C:\ProgramData\A019.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
146KB

MD5
e7dc04a038bf056ebfb6b2420fd4310b

SHA1
9951d88433a5f931599ad3120e236121790c5289

SHA256
51df8c3bbf155ba8dfd2af8a3871fa8b5f0b2b844af5bc2e07bceb23ee43c2e9

SHA512
bcef84562f6baf07808a99c132558b90987d358d08f7d5ccaab0bf181a50391880c7ebd9468e35e6b39c149511c0476c610cfcfcd3fde65c57641b5283256e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\{403C5AF5-100C-4302-8489-15F3399F7183}

Filesize
4KB

MD5
d95b7f58b739ec1aaa7a4630bcf06efd

SHA1
18af667729604dacf4507e27a634b4e0039f2a9f

SHA256
cd0cba4f8fb928b42d8f8911bb0bc88b10dae556fe83d021c07f4d52b2ea0e67

SHA512
5a20e00cf0c82cb45c14919ae5b911e5c5695548288189ec60ae5b4582b78c6e86bca6f616b2db27323e8fb6b0438b312ad61dfb7bb111b4f7808b79c393f417

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
67fef4e9a77738e6042accc74f49ead5

SHA1
b852c1eb5160fe3e4dfc6e1734283128929ffef0

SHA256
18d3fabf7f61c0a91ed1fec073dac7d1fcacc119e1c1de8a05979e22b28e3f0d

SHA512
886f4e317e1c9856ce86f866c02a2fb2ed595175342c9a5ae87b9ae7e440605989d2c039e08289ebef34deeff6748db81da9cdd1a3acdb4534ff03c4cfe3a983

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DDDDDDDDDDD

Filesize
129B

MD5
d642b2c1b736bdac46b5b579a4ce4a56

SHA1
2b3dc14842350bdc588a6ac8943995c3365574cb

SHA256
cf7f7e188fbda7806d8f387719fa2a440a4410941971966614a300fe5b54909d

SHA512
6b66a462aba5f94bb63da04fc4acda4f4ccf643036b1ccf0606d1732b8622a99c420c378debf02d2add5100e4b645ad077bd1614dd952bbe70db96e659ecffc0

Download Submit
memory/2728-2761-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2728-2760-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2728-2759-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2728-2-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2728-1-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2728-0-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/3248-2781-0x00007FFDBDF50000-0x00007FFDBDF60000-memory.dmp

Filesize
64KB

Download
memory/3248-2782-0x00007FFDBDF50000-0x00007FFDBDF60000-memory.dmp

Filesize
64KB

Download
memory/3248-2777-0x00007FFDBDF50000-0x00007FFDBDF60000-memory.dmp

Filesize
64KB

Download
memory/3248-2809-0x00007FFDBBCB0000-0x00007FFDBBCC0000-memory.dmp

Filesize
64KB

Download
memory/3248-2810-0x00007FFDBBCB0000-0x00007FFDBBCC0000-memory.dmp

Filesize
64KB

Download
memory/3248-2778-0x00007FFDBDF50000-0x00007FFDBDF60000-memory.dmp

Filesize
64KB

Download
memory/3248-2776-0x00007FFDBDF50000-0x00007FFDBDF60000-memory.dmp

Filesize
64KB

Download