Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:57
Behavioral task
behavioral1
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
-
Size
147KB
-
MD5
43341d5a1d976b348d42ad9c0f9c605d
-
SHA1
fe704f8a65f572217bcfe147057dc57adf4476f0
-
SHA256
7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86
-
SHA512
c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23
-
SSDEEP
3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26
Malware Config
Extracted
C:\4i9YfYWBr.README.txt
Signatures
-
Renames multiple (596) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 377.tmp -
Deletes itself 1 IoCs
pid Process 3412 377.tmp -
Executes dropped EXE 1 IoCs
pid Process 3412 377.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPvw757rju3l5it903lsq3ab06c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP9vvqm7jx3pcmrpxufjxdl9glc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPxvt59dvke8wmggqanpxl0r7sc.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 3412 377.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 377.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr\ = "4i9YfYWBr" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon\ = "C:\\ProgramData\\4i9YfYWBr.ico" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp 3412 377.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 36 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeImpersonatePrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncBasePriorityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncreaseQuotaPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 33 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeManageVolumePrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeProfSingleProcessPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeRestorePrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSystemProfilePrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeTakeOwnershipPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeShutdownPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE 2588 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2036 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 86 PID 1224 wrote to memory of 2036 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 86 PID 4180 wrote to memory of 2588 4180 printfilterpipelinesvc.exe 96 PID 4180 wrote to memory of 2588 4180 printfilterpipelinesvc.exe 96 PID 1224 wrote to memory of 3412 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 97 PID 1224 wrote to memory of 3412 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 97 PID 1224 wrote to memory of 3412 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 97 PID 1224 wrote to memory of 3412 1224 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 97 PID 3412 wrote to memory of 1844 3412 377.tmp 99 PID 3412 wrote to memory of 1844 3412 377.tmp 99 PID 3412 wrote to memory of 1844 3412 377.tmp 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2036
-
-
C:\ProgramData\377.tmp"C:\ProgramData\377.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\377.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1104
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9ED39FEE-906D-450B-B339-0FACE1E1DDA1}.xps" 1337905425881500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD56021f17c2e220162ab50085e2482bc8a
SHA133245cd57531573b0db205a8fa7e1801467c65b1
SHA256b81ed018862bdf5d7366a5a5e12747b3301e112fc8081c32685119c1252931bc
SHA512512fdeb9fd0ea20ec50a79bdf943337decdc7030a871310ea2e62c7245432032861767adee3b125ec7332b6f98407d97d09a7672f04b16fc6c8228b6354b946a
-
Filesize
1KB
MD53ada01b616e140ae59cdaad69674a811
SHA1704f23db0249fee5710e542e34c49a69f88ca8f1
SHA256aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2
SHA51226061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD5065489d49bb36a9b6efbbb461b27bc49
SHA10e5e97fd7f420d6c643b2ffb53cc47bb54e4ac57
SHA256b441f0c0a7bd79532888e34c4d72f26fe95fd92711240ae33a60f6965f24b08f
SHA512d65cb933c2ee8c0308769c3894d64b3f75863f7a89f14268548d0f00a95cfef5194b244eb7ba5f8e1f1ff71bc9847d4771064335aebf6a0deb9ec04b9371a23e
-
Filesize
4KB
MD58d55ce2ba1baf56993ec30f3bb721bb6
SHA1720812ddcc57cb78e21dbbe38e6facc5ee67fb81
SHA256be8f191bb42b9899834e19de4fe98489232e6cab81aa84cc1f3e36b3717c6fdc
SHA512708966922351067656a9a7088b80b6f2ec6a1cd53f64f9402c2dd90ea1cd68a3c6f8e3cc41c9638d406dbea05be557b111561a0bc5e29243248c77b5843ae8ea
-
Filesize
129B
MD513e2969c05dc0167133208a6f9517d99
SHA137604a644d96594e473e39a22e34193962d9c170
SHA256aa34babf932dcdf5d99c005146bd0bf13f70d654024d7b09dbcc1f62f9f5e091
SHA51269fa1c10f9b9f98d264c9340e313c6e98bd5bbbdb78b84ca4f331977bf1c9528a8426a33f08ce84c41beb5cfd863b069ad94dd24601399a836962156a4a88997