Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 04:31
Behavioral task
behavioral1
Sample
2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe
-
Size
145KB
-
MD5
b2cb742a43762106fc03fa1e26fd4f68
-
SHA1
aef4e9199b06b835b6e677c0910d3ed6fdf96ef3
-
SHA256
f4dcf20fcdd95d241eadcd88ce30998189d0682132456e9254321a8d6d281611
-
SHA512
d0521e8a496e53a309acf7f9d388e684bfa068cc77d23ae6a7da75e6dea962b2a9e3dd5a27dc5e45c054aa025e3ff1a3c237a996aab2fbcfaa68483481ca4975
-
SSDEEP
3072:5qJogYkcSNm9V7D58PleQQuloQwssCnT:5q2kc4m9tDcQvuiQfD
Malware Config
Signatures
-
Renames multiple (604) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation D2E1.tmp -
Deletes itself 1 IoCs
pid Process 3504 D2E1.tmp -
Executes dropped EXE 1 IoCs
pid Process 3504 D2E1.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPn7bxcb9xge6i37ul_owh7k7o.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPrw0bl92awwxlevf47at3s4oac.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPtdbl_aw0k9ajvuu1p9tdqudp.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BNzPckH0e.bmp" 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BNzPckH0e.bmp" 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3504 D2E1.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D2E1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BNzPckH0e\ = "BNzPckH0e" 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BNzPckH0e\DefaultIcon\ = "C:\\ProgramData\\BNzPckH0e.ico" 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp 3504 D2E1.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeDebugPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: 36 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeImpersonatePrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeIncBasePriorityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeIncreaseQuotaPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: 33 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeManageVolumePrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeProfSingleProcessPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeRestorePrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSystemProfilePrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeTakeOwnershipPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeShutdownPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeDebugPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeBackupPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe Token: SeSecurityPrivilege 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE 4924 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3024 wrote to memory of 388 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 92 PID 3024 wrote to memory of 388 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 92 PID 3108 wrote to memory of 4924 3108 printfilterpipelinesvc.exe 97 PID 3108 wrote to memory of 4924 3108 printfilterpipelinesvc.exe 97 PID 3024 wrote to memory of 3504 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 98 PID 3024 wrote to memory of 3504 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 98 PID 3024 wrote to memory of 3504 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 98 PID 3024 wrote to memory of 3504 3024 2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe 98 PID 3504 wrote to memory of 5700 3504 D2E1.tmp 99 PID 3504 wrote to memory of 5700 3504 D2E1.tmp 99 PID 3504 wrote to memory of 5700 3504 D2E1.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-12_b2cb742a43762106fc03fa1e26fd4f68_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:388
-
-
C:\ProgramData\D2E1.tmp"C:\ProgramData\D2E1.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D2E1.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:5700
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:764
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{E0CAD3EF-4C28-4BF0-A005-E936E1F6341B}.xps" 1337585952209900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50b61c2bf8d32ea0459af910ff2aa98e6
SHA1f99f334d9930653e7185751c4afcc70ef816dc4c
SHA2567f5b22c983b25721513821ac3ee6fd34b7a3106dd0bb7e53431d8e9226540c7a
SHA5124f296ec662a47f2a5a0cdd3a03942fbfc802ee94e65b5e54adb524e4acc44acae0d3a36ab8c8da78d08aee542db342e134601c1e98eaf49550518b5e1188dfbe
-
Filesize
93B
MD5eaebdbc14b3c2ecdcec757fc361f5589
SHA102ec5589c9f3c671c464671faaf1b8343d849490
SHA2560f037f3ac40aa8e999e3394d3741594b3410581f89eb467863e0ff30fa2417da
SHA51214f5876fd27dbff0784e851e1c2fe4c68f70dc3b0cc2e95f10ab28bc872f90e82bb590f441379b73579c54680132a6961d216b9c18cd9648f9a45d4a72db660f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
145KB
MD5080195123dd27d8bb0ba212d1d55f1b1
SHA1b7cdba90000a52d24585c38b181dadff3c9b4b64
SHA256c5ced65e386a9c97311fb9230e42623185297d88253cf9174a672c93540a35ca
SHA512ef401b17934d5aaa113f0085275ddc545c06ce1d042f66a78f6516bc15e05a6e08408870fb4de64a825435b3dc4931a66e50de44c7fee7f1112ed932b18227bd
-
Filesize
4KB
MD5fd77a1563af98cbf4f347f3d018ab184
SHA18c1afddb548aca67684866e6f3d03991cf75a68f
SHA256ad135c6f54c1c86e9c117beaa2d53eef9183fa35b87bc117d756618af54dd8bb
SHA51279a36e9d29d62acce57c4ef37550da21c6ecabc66a14ca05df4c8bb83336d826fc8d1f174078c66d753b24314de9b1ddda6eb559db1880d567db2acb0490a1c8
-
Filesize
4KB
MD52fa34e311bb1e8e10786ff00b28cad68
SHA10ba4b9035e758363d8062b213668349dbfc92802
SHA256ab8c482157c21d3467ac440fb12efdfb1873187745c5e0857c74e6f439ae1acb
SHA5124fca31b76e95deebd5c3aed765a9f2841df3244e3eb71dc2b2ad7234d66ff9b9d81c32ab2a4b7e1e4365e89a298a9565b56c61d9250a4405a2b323ead23d1619
-
Filesize
129B
MD5dace2adc5442e3b94a636eecad351683
SHA16d95b37f6fbd9e20239021a7c931cdfe3ea17192
SHA256bc01512e8f156e49d4a059cb55fb3469ae50334de71b5b96ab921b5531b774db
SHA5128afaaa521c72008b370b5aca6c87312d3e54d4f4b944a5285a042b48b68681ac51064fa0de92850c11f333ee62743bd8ab8c85e9e0cb3580c71b210c960799c4