Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 04:50
Behavioral task
behavioral1
Sample
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe
-
Size
146KB
-
MD5
e09dd7cca0c6c147ba21b4062e723c5b
-
SHA1
ff6333bdda824e4c13bcd13351bd4bb14aaeab11
-
SHA256
d9938ac4346d03a07f8ce8b57436e75ba5e936372b9bfd0386f18f6d56902c88
-
SHA512
603f45dc0b3302739ef6e4727572ecf64cf6f65c80af1e05aa3795fc9ce36849cf0f465bbf8a9f116c8fb3da8d91998ec5582b24503f4f43764e7b3543a94c4e
-
SSDEEP
3072:yqJogYkcSNm9V7DNDgSKet5JXglKso1WT:yq2kc4m9tDjlrJX3so
Malware Config
Extracted
C:\fB1SZ2i3X.README.txt
https://tox.chat
Signatures
-
Renames multiple (636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation DCB5.tmp -
Deletes itself 1 IoCs
pid Process 4640 DCB5.tmp -
Executes dropped EXE 1 IoCs
pid Process 4640 DCB5.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPc6nyupte4uritwtbayww0i7ec.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP999y1sb_glhuziygs2blv5ffc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPah2ow50e5wmu76j8rcsmlmeqb.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fB1SZ2i3X.bmp" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fB1SZ2i3X.bmp" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4640 DCB5.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCB5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fB1SZ2i3X 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\fB1SZ2i3X\DefaultIcon\ = "C:\\ProgramData\\fB1SZ2i3X.ico" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fB1SZ2i3X 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fB1SZ2i3X\ = "fB1SZ2i3X" 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\fB1SZ2i3X\DefaultIcon 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp 4640 DCB5.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeDebugPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: 36 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeImpersonatePrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeIncBasePriorityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeIncreaseQuotaPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: 33 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeManageVolumePrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeProfSingleProcessPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeRestorePrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSystemProfilePrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeTakeOwnershipPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeShutdownPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeDebugPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeBackupPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe Token: SeSecurityPrivilege 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE 1068 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1868 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 86 PID 2364 wrote to memory of 1868 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 86 PID 1816 wrote to memory of 1068 1816 printfilterpipelinesvc.exe 91 PID 1816 wrote to memory of 1068 1816 printfilterpipelinesvc.exe 91 PID 2364 wrote to memory of 4640 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 92 PID 2364 wrote to memory of 4640 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 92 PID 2364 wrote to memory of 4640 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 92 PID 2364 wrote to memory of 4640 2364 2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe 92 PID 4640 wrote to memory of 4480 4640 DCB5.tmp 94 PID 4640 wrote to memory of 4480 4640 DCB5.tmp 94 PID 4640 wrote to memory of 4480 4640 DCB5.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-06_e09dd7cca0c6c147ba21b4062e723c5b_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1868
-
-
C:\ProgramData\DCB5.tmp"C:\ProgramData\DCB5.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DCB5.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4008
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3C79C5AC-C135-4A11-A1C3-5B62F9D7774F}.xps" 1337266384466800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD55ce4eeffbee17a0e536d394bb71a21c4
SHA1d8f2c6dbd3ef7d85913f3cea95d81313477e986f
SHA25665fa8e84f511ce2a6b7892ec23a2c731289f70b712578ca242859e6d719a8ba2
SHA512de795f3af1ed3bfcba4302f0ad14de8b148b6df5ec4b7a743843645e813971524b025927dd8959bbe60a88d0c7627c22850903da7bf4e710b3f516b0f1c13d9e
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD5553f4d4b71d8672384730017fecf70a3
SHA17bd3343d73589eca20ee33d6735f74f0b31f6397
SHA256d6533671a1940daccd43acc2271f1a74645bb6808fdf2989333d0adbf50d974f
SHA5124a40c3152e1ac21cbed03bd3016d937ee1f324d4af66f70bc4aac05a72232569cc21030d273a97ed16c7484ccc2286690c7f7ee550334fd0c9a80c572a115b98
-
Filesize
4KB
MD5b233db26fc9778d2d912b3aff3e7c7e0
SHA1391fed8a6c79d97c580d54b1a2920b83d9df5813
SHA2565f99219204206770011530eacc36151a0d32e9ecd108c34cea5119ca1a66a175
SHA5126e99e377bad56146fe23fef43e7ba01a1f7c534594dd99fec2cdfb9bca70cadf7bc1a546887cb8c272d9b965d5938338c14404706b250ed3d17c49b648c75ccf
-
Filesize
1KB
MD5e6d07d33a31714f471d3ac44e7757ea6
SHA15de75bc72ceb82401cea9d1859ea2e9b6ab4e53a
SHA256220ce1772c368af23d016f6283f0c0284b4868ec574cb93e38e93fa87555e8e7
SHA512d7d09604226422e2742625390945019f85fd281c392322006c9095d4ceadf90ddb5a04560033c00ee3ce76a8c38872967add4e5f041987f27d03dad4454ab894
-
Filesize
129B
MD55a9babd8a03c2f9f49b455efbc012754
SHA17b1e2c2ab3bc3956b4629896a1b561c972ccf8c6
SHA256c365b9bd73c5b9eda70c8744f7ccd9531954cbbd98f82b43e360fe69918268da
SHA5120a67bf01cb307d4079b97aa92d925934e39afd044460fe1cfaf9381e7be9b1160e5f8198200ecf8dcfec5990810b2258178a18d6fefbd6661eaf0c276020e526