Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 12:23
Behavioral task
behavioral1
Sample
2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe
-
Size
145KB
-
MD5
8005b63da0a2688ea287976c6f943abe
-
SHA1
2c84df5324d1044f2fba0385319d0248dc5beb4b
-
SHA256
0b96b4946ea996ef7d79b7d2d4d5bf3506457f26a47e835492c53f587f0a6111
-
SHA512
89077d40eaf1f3cd1940d5f26796fee7634e38d63870861b85002aa4b66412f7741980d7c587a45f795fc3b27b71adb19776b20dc06f5b70b5efdaa10171ae25
-
SSDEEP
3072:P6glyuxE4GsUPnliByocWeppfpra9wpAm9bXFKo0bW:P6gDBGpvEByocWepm9mpj0
Malware Config
Signatures
-
Renames multiple (639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation F34A.tmp -
Deletes itself 1 IoCs
pid Process 5628 F34A.tmp -
Executes dropped EXE 1 IoCs
pid Process 5628 F34A.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP0kxbnaoaxl3nzn03v7rox7_o.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP0p56k0dxzetkba2fetjd8c60c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPxg53tlmulvov86_qhw7_ddp3.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\IPjaex13M.bmp" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\IPjaex13M.bmp" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 5628 F34A.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F34A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.IPjaex13M 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.IPjaex13M\ = "IPjaex13M" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPjaex13M\DefaultIcon 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IPjaex13M 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IPjaex13M\DefaultIcon\ = "C:\\ProgramData\\IPjaex13M.ico" 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp 5628 F34A.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeDebugPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: 36 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeImpersonatePrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeIncBasePriorityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeIncreaseQuotaPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: 33 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeManageVolumePrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeProfSingleProcessPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeRestorePrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSystemProfilePrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeTakeOwnershipPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeShutdownPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeDebugPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeBackupPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe Token: SeSecurityPrivilege 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE 3432 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1744 wrote to memory of 3796 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 94 PID 1744 wrote to memory of 3796 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 94 PID 3204 wrote to memory of 3432 3204 printfilterpipelinesvc.exe 101 PID 3204 wrote to memory of 3432 3204 printfilterpipelinesvc.exe 101 PID 1744 wrote to memory of 5628 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 103 PID 1744 wrote to memory of 5628 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 103 PID 1744 wrote to memory of 5628 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 103 PID 1744 wrote to memory of 5628 1744 2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe 103 PID 5628 wrote to memory of 5160 5628 F34A.tmp 104 PID 5628 wrote to memory of 5160 5628 F34A.tmp 104 PID 5628 wrote to memory of 5160 5628 F34A.tmp 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-15_8005b63da0a2688ea287976c6f943abe_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3796
-
-
C:\ProgramData\F34A.tmp"C:\ProgramData\F34A.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F34A.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:5160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4368
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5F4B857B-031A-49FF-9D3B-230718EC1328}.xps" 1337614701889100002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c829c1a74bce2c766f4ad164c94fae9e
SHA18f334245260277af90fed4eb39168e0f4d231aa2
SHA256c95fbb508e91b788ab86d19772773059db60f4400d29dc3ae03212ca841b3132
SHA51285abcd0a457f35c5f85c637d470a0ec141cbf49d8e2f4eeacc9f51679b673d163cb50b92d062be292bf9e36cfb04181244110c6a5fbccbb5ade7985fc9263939
-
Filesize
334B
MD588f6599d557ec2b7a12b3ab4faf3c364
SHA11bc917d0543deee57c7e13f7ed182c8692e69458
SHA256781cf1f98ccd2cf18079967e28996a722e75fa28cb2ecc8b638e2efcdf751e8d
SHA512d1633a186dbc849f8c056bd53df4b24f972f170cb4e602b487d89b9762ce78699cf148d70f62272e8e2d13888a73b38910b43c378af8d21102a3fd2e08731d19
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
145KB
MD54c6fc9aa85535c6465e8999a4b5bab9f
SHA1fdb06c49d86375480b36943b97015dc33ac1c1db
SHA256960fd718c0a3c2ada4d5c604deb457391060db1b4cd2700796f5f82448036119
SHA5128a0b1b136a173ba9ba70bdbb465a94c63c2cecdd91b5e3660844a7d414f508ae988a111b1e551f1d26728bade1f43b991397543d8a021c5166dc2876b48e62e5
-
Filesize
4KB
MD5350cac3b60c0ad35a63c88151ebdadb0
SHA146a7157d030dc2cd74b2fba2b90acd5b0ccd39e8
SHA256f33889f5a4907fc2ccb3ec02b4c1cdc1672ba2b93d86a4ed99e8c213bb3f5bd6
SHA512062988baa2bacc4fe10e10911da13d4cf614da6f14eee5a318920b8d0f4ca8a80e05082bb2fc0e5f6e22220650eabcb63be99b02191f8bdff4ae8ad73b1209ed
-
Filesize
129B
MD58f7de8386b244d7016649660fc787b74
SHA1a0cbf9134ecc6db87047e196ad7e49b02fca6237
SHA256434de5303e0e74d2e8be7bc9daa2aa03ccceb04f40eb4a526d4ef1f7970a99ee
SHA51278ae13ee4434b8a5a4ef297f3a8a11ef5aa70201ef2444696b57e896376c83292ceb4fe340f23b73edbb52f57084e61a75489537de812f6d5b064e4040d88358