13d72d8ee7cdd0d2e343b6dc08b957c9796d411062c6be9d864bded9d7e4c9e1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Size

145KB
MD5

1d073f93fb5d03cf4a956ef84ea5f421
SHA1

64c6f72e368f74479b90cf7b24e9e3ec1d5e9940
SHA256

13d72d8ee7cdd0d2e343b6dc08b957c9796d411062c6be9d864bded9d7e4c9e1
SHA512

a454402d654b05d1cb866cdf836ad137396c777e11c590542d69e1e69ff5fb8f728c4ebdc77a5600369731ea440f28d8b25320190b27c34637d73c69a15397fe
SSDEEP

1536:qzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDmNgwg0XiOiu/8EINw5YkjPGHUk:ZqJogYkcSNm9V7Dm7i1j0XjuT

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeDebugPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: 36	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeImpersonatePrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeIncBasePriorityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeIncreaseQuotaPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: 33	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeManageVolumePrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeProfSingleProcessPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeRestorePrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSystemProfilePrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeTakeOwnershipPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeShutdownPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	2248	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini

Filesize
129B

MD5
c1331b88232e1a187176fa21d06e739a

SHA1
833d8fb62eec0fe889f8f2d37c12e4f828434d4b

SHA256
acdc054f381122e31e769f525b74408780391c86a6158f64d6a7a590ba622a21

SHA512
b72a42858bd690e290377628becf8fe6619f731cb31647aa9055bacb9cd04e05a92420c7b0cc18c1a17c50f1f4a8f8e2ae11aa1394b5b273c6a54978d1db0c3f

Download Submit
C:\dfsQPArFx.README.txt

Filesize
423B

MD5
252873dfa3d2faba00b549c139a597f0

SHA1
63c3c47a6b12ed4597e8385a0525cd1d8105acba

SHA256
4a217710f8d8260556375aa29574d67e5847d4648c2b6baa39f91a2ae8102f5a

SHA512
f370ebe2d6bc710ba3e8340d481b847ccba075ef72e49fa569dda1567505b792f5a725895df1c2b029acf17caf45077a27262f1f9be9fa06e9393b82b5e7dcd3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\DDDDDDDDDDD

Filesize
129B

MD5
d2557de4c85e0129f73faf0dfba6a923

SHA1
9b2af82fab742b4f3b1cc5fb29106f62633a8e78

SHA256
80f1243e6ac9a87e60692010c7662b076180a9c6567b0345ca6b20ff64611959

SHA512
bd60df4bca6088d817b606c8932c204b6ac882bed16c790a6e9d91329d06c42507978891a568e2a110c92160c03461157d31d7153174129a0336e69d7d08e533

Download Submit
memory/2248-0-0x0000000000110000-0x0000000000150000-memory.dmp

Filesize
256KB

Download