5fee867e93f672a561fedf8bb2d8525ab4a9146a51f922c88d34eb5c2d60561d

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Size

148KB
MD5

475f6e42f0cb53fc60fa80022826489f
SHA1

b1dc8069d4d667af8cc8cbff950dc7a67a129cc8
SHA256

5fee867e93f672a561fedf8bb2d8525ab4a9146a51f922c88d34eb5c2d60561d
SHA512

04663b3c60b26fcde8e1b30c061242ec0356b467d62b17128a4c72608e71425f43f540a41a60ba5c88b8a50f3a78bb5fcdddeea68589ac83806b24e22ecd9335
SSDEEP

3072:pqJogYkcSNm9V7DHjsdAzWxxLaMdg9nW2T:pq2kc4m9tDDsdAzWCMdY

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\utZMwPnzM.README.txt

Ransom Note

███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗ ██████╗██████╗ ██╗ ██╗██████╗ ████████╗ ████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗██╔════╝██╔══██╗╚██╗ ██╔╝██╔══██╗╚══██╔══╝ ██╔████╔██║███████║██╔██╗ ██║██║███████║██║ ██████╔╝ ╚████╔╝ ██████╔╝ ██║ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║██║ ██╔══██╗ ╚██╔╝ ██╔═══╝ ██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║╚██████╗██║ ██║ ██║ ██║ ██║ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ What Happened? All your important files have been stolen and encrypted and only WE can decrypt your files but if you do not pay we will remove your unique decryption software and publish your data to the public. How do i pay? Send 300$ worth of BTC to the following wallet, then contact us on discord using the username: ballets4 we will give you the decryption software after the payment has been confirmed and delete the data we stole. Bitcoin wallet: bc1qgngtzxgt3vcgx7andfl2temn3vt4unf5lmcqkj How can i trust you? Because nobody will trust us if we cheat users and whats the point of not giving you the decryption software. DO NOT try to decrypt your files yourself as this may cause a permanent file corruption. DO NOT rename any file as this may also cause a file corruption. You only have 3 days to pay, if you did not contact us or pay us in these 3 days we will release your data to the public and remove your unique decryption software.

Signatures

Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	F260.tmp

Deletes itself 1 IoCs

pid	Process
1780	F260.tmp

Executes dropped EXE 1 IoCs

pid	Process
1780	F260.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPgf3oa0xr0k0p1vn1w2_n91e4c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPvx2c6gbk0bglyl3_w0_zydtnb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP7lzko9znb_io9ij2898eve2eb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\utZMwPnzM.bmp"	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\utZMwPnzM.bmp"	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1780	F260.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F260.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\WallpaperStyle = "10"	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp
1780	F260.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeDebugPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: 36	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeImpersonatePrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeIncBasePriorityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeIncreaseQuotaPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: 33	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeManageVolumePrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeProfSingleProcessPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeRestorePrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSystemProfilePrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeTakeOwnershipPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeShutdownPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeDebugPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeBackupPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
Token: SeSecurityPrivilege	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE
4804	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3416	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe	84
PID 5032 wrote to memory of 3416	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe	84
PID 3256 wrote to memory of 4804	3256	printfilterpipelinesvc.exe	91
PID 3256 wrote to memory of 4804	3256	printfilterpipelinesvc.exe	91
PID 5032 wrote to memory of 1780	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe	92
PID 5032 wrote to memory of 1780	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe	92
PID 5032 wrote to memory of 1780	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe	92
PID 5032 wrote to memory of 1780	5032	2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe	92
PID 1780 wrote to memory of 3720	1780	F260.tmp	93
PID 1780 wrote to memory of 3720	1780	F260.tmp	93
PID 1780 wrote to memory of 3720	1780	F260.tmp	93

C:\Users\Admin\AppData\Local\Temp\2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-27_475f6e42f0cb53fc60fa80022826489f_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3416
- C:\ProgramData\F260.tmp
  "C:\ProgramData\F260.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F260.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2128

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9BD8E487-313A-447E-AF4F-14F68378A36E}.xps" 133824510156850000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini

Filesize
129B

MD5
4156567dc743002627a7becf83f97af4

SHA1
a465b3347c63bf98da1fd697c064333807cdac92

SHA256
7b1abf05f6b8a19bef1ec02ed9ed5b973ee88bccef9eaf2b5588a0ccac7b2d61

SHA512
e0a932946330c2cb1cfff294e879209aaeef695d54d69742354afb19b718091b46cfe70a590290736dc992dca0b4d3441e47e718b308e1e2e5e71cbbc98d8c6e

Download Submit
C:\ProgramData\F260.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
148KB

MD5
9a7b436817ccd4ddd01a9aad3c6cba25

SHA1
4f654e707ae3c247e903854813a879079d0f4a20

SHA256
5a2006d650b5230e6611b20ef2f4ecc6cc43f3a1d484aec69d8189d3432c79bf

SHA512
2e353488fee770059137e134060a53c48e2c67e040a009d4114c1103c4ee0dac99f044659af7125e55232e71f2eb5b5642d428ab84313bc1685936e2ddb2e63a

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
709a1e8af3707e7bdd80bf52a3687955

SHA1
503b97c9d1d2d1ad6a01551ac5a676c38b438315

SHA256
a728c47364eab0caa27327e5e9aff4c3492427bd8c3195b4869f44eb8ba8e974

SHA512
6bb458fb39250b79c326e414f91b19b6fdf7e0e756eb20c5f9e980a4c63bf464ace3abeb6bfbda1c4ded8a82a428b1870d141a4d3af931ca42aed6367af1ee02

Download Submit
C:\utZMwPnzM.README.txt

Filesize
2KB

MD5
d9e1661bc09300cad8aa8d795b9ce0b3

SHA1
1676ba84687a2d7b27f73f3a37500317ba0d30a4

SHA256
e2fa3f74d96324cd7dd0d611843e8102e897a8d65beac9d9491e8c42a7ada8bd

SHA512
9fdaa9b0f68c19eba772fcb5b2ceaf371a0b78435a296765c3dbcdc5890218523d5844708473a685cf12ec559163fc3c87928b12e46bfda92faf2c5fc2d57f7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\DDDDDDDDDDD

Filesize
129B

MD5
fe12610c84adcb3b81e03fffa24cc65c

SHA1
79d5f5c4a0914274fea53b08b638e058cad39f71

SHA256
3a860f08989c539dbb8a58964f4be4287829ff320d352408657a5d6b492105ae

SHA512
99a1be077fe0157ccaced146db7f7477be5e9f50d39a27bde5312b56ad23655b766d13aea8db00d8cabda73ca49993f4eb1cb3571c8d5c18afb34b51adad6c5d

Download Submit
memory/4804-2984-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

Filesize
64KB

Download
memory/4804-2982-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

Filesize
64KB

Download
memory/4804-2986-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

Filesize
64KB

Download
memory/4804-2981-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

Filesize
64KB

Download
memory/4804-2980-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

Filesize
64KB

Download
memory/4804-3016-0x00007FFF87DF0000-0x00007FFF87E00000-memory.dmp

Filesize
64KB

Download
memory/4804-3018-0x00007FFF87DF0000-0x00007FFF87E00000-memory.dmp

Filesize
64KB

Download
memory/5032-2967-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/5032-2968-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/5032-2966-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/5032-0-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/5032-2-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/5032-1-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download