Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:02
Behavioral task
behavioral1
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe
-
Size
147KB
-
MD5
43341d5a1d976b348d42ad9c0f9c605d
-
SHA1
fe704f8a65f572217bcfe147057dc57adf4476f0
-
SHA256
7320950d74a2fc29fc3067391a3e5f8b180b5cf84e6fbd41d7cb32067ee41c86
-
SHA512
c17578c5b004cf359548dee26fa1c4967608b9aa7536e29413fc916005179ef3b2c2276311afbfa7a0275c0b598417786ae39564178855896768622524b8ab23
-
SSDEEP
3072:J6glyuxE4GsUPnliByocWeplByuVgn/zHHwB65:J6gDBGpvEByocWepyF26
Malware Config
Extracted
C:\4i9YfYWBr.README.txt
Signatures
-
Renames multiple (607) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation A808.tmp -
Deletes itself 1 IoCs
pid Process 2580 A808.tmp -
Executes dropped EXE 1 IoCs
pid Process 2580 A808.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPl3pz4k0pl_pep0sj8q06kqap.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPw0l1wchksrs33qa0f9ye21j2.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPcn6vhbf6w1f2n8cmxml90dz7c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\4i9YfYWBr.bmp" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 2580 A808.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A808.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon\ = "C:\\ProgramData\\4i9YfYWBr.ico" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.4i9YfYWBr\ = "4i9YfYWBr" 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr\DefaultIcon 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\4i9YfYWBr 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp 2580 A808.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 36 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeImpersonatePrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncBasePriorityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeIncreaseQuotaPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: 33 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeManageVolumePrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeProfSingleProcessPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeRestorePrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSystemProfilePrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeTakeOwnershipPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeShutdownPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeDebugPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeBackupPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe Token: SeSecurityPrivilege 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE 1928 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4448 wrote to memory of 3580 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 84 PID 4448 wrote to memory of 3580 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 84 PID 5040 wrote to memory of 1928 5040 printfilterpipelinesvc.exe 87 PID 5040 wrote to memory of 1928 5040 printfilterpipelinesvc.exe 87 PID 4448 wrote to memory of 2580 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 88 PID 4448 wrote to memory of 2580 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 88 PID 4448 wrote to memory of 2580 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 88 PID 4448 wrote to memory of 2580 4448 2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe 88 PID 2580 wrote to memory of 1664 2580 A808.tmp 89 PID 2580 wrote to memory of 1664 2580 A808.tmp 89 PID 2580 wrote to memory of 1664 2580 A808.tmp 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-19_43341d5a1d976b348d42ad9c0f9c605d_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:3580
-
-
C:\ProgramData\A808.tmp"C:\ProgramData\A808.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A808.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1664
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2500
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{4CD0570F-657A-4014-B34B-A24CDA130677}.xps" 1337905455817300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD59d39220f86201bea7eed8986bfdaee7e
SHA1f22e37a02d4768e16eb605c0851a5057defe2d1e
SHA256fc5141677605ec3002b20dbfee393c9e5b029fea679c9666bfad7f6ad7da943b
SHA5129de90b211a774b61a041ab6a520a971f270e8f1b9950de84af4c986274f1da0abd7a16bc8b98c58ccf82567a844757ccf020d6bdbeb3bacff77450767661cccf
-
Filesize
1KB
MD53ada01b616e140ae59cdaad69674a811
SHA1704f23db0249fee5710e542e34c49a69f88ca8f1
SHA256aeeb458cd84a400cca7f7e84784d5738476c8b12e5d78c6db715af1b77f487e2
SHA51226061425137a69e7b2c4e76797f0adc95bd6d817d9c40dc2b821f4704cfa1a70cf6c4c6866afa489b74251060dc436c10aaa63cd552d18f511973783938de4f4
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD519c41357f30ab8820ae2cc942c4b7ea1
SHA1296a7bf636adb3be8b349385bc860d7620eb9f9f
SHA2563996ef4d42597e41622c6f486fe804af7fd912939d55988bd3d7ee9e4b0b0470
SHA512b9c079a3de1dcfe94d58fe9dab23dcb30461d9cd6ac65c66414d008e8bd69122af00c5cc73346b10f3a4a0a533a5ffb8f1ba718ee219f2e08af2324a0c822427
-
Filesize
4KB
MD5b59235983b85c56eea79cfca8d6d7d6d
SHA1e8712f53f47706fd4fba9bdfde76932fd24943f2
SHA25622c87b4b529e12cf2eb82701de516fa3f6aaf36e03d0777a554f66b813e5a374
SHA5126bf870944d10daac9d31a7e5dfe0a635a144bf557feab0e2d034dbf5fda522f8ee1d5d5d1a2986fb1744bed97900dce210cbc8864b2934f588ba5c1a197f2f6c
-
Filesize
4KB
MD5db92eaaaf6028cfa21cd12728ad76232
SHA1a193254fc622757efe568c8d657f62e227a2fb60
SHA2568971d7da1f0c130fe950890e46fb086d2984a6b93f6e8d6021900f2cad234c38
SHA512e394ef99be63d8bd75b4b964b0b0dd2de3bd1629c751440e4c3a52b0f18aad04034a116a0b52775a7a31ea85359902c49c4705e8eca85a3d867e3497468ba4f7
-
Filesize
129B
MD5ed8ac5c00a300358eddc47799e57b88c
SHA1e8ecba8a210e376e0b90a74b857ebf6758dcd0b6
SHA25619883533cb3ae4c21a94ea22ccf2ada17d9c2be2606ae153f2357d48f4d860a0
SHA5120322c9556064703a6d22486d617d2d9f3ded4a2db0682434fb91fde72af128081ad44b7d86d6d76191a6e2faf3a6a14d21fd5df49eca41488ec1af090742095b