13d72d8ee7cdd0d2e343b6dc08b957c9796d411062c6be9d864bded9d7e4c9e1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Size

145KB
MD5

1d073f93fb5d03cf4a956ef84ea5f421
SHA1

64c6f72e368f74479b90cf7b24e9e3ec1d5e9940
SHA256

13d72d8ee7cdd0d2e343b6dc08b957c9796d411062c6be9d864bded9d7e4c9e1
SHA512

a454402d654b05d1cb866cdf836ad137396c777e11c590542d69e1e69ff5fb8f728c4ebdc77a5600369731ea440f28d8b25320190b27c34637d73c69a15397fe
SSDEEP

1536:qzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDmNgwg0XiOiu/8EINw5YkjPGHUk:ZqJogYkcSNm9V7Dm7i1j0XjuT

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeDebugPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: 36	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeImpersonatePrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeIncBasePriorityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeIncreaseQuotaPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: 33	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeManageVolumePrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeProfSingleProcessPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeRestorePrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSystemProfilePrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeTakeOwnershipPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeShutdownPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeSecurityPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
Token: SeBackupPrivilege	1352	2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe

C:\Users\Admin\AppData\Local\Temp\2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-15_1d073f93fb5d03cf4a956ef84ea5f421_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini

Filesize
129B

MD5
95074daf12ccf47d04be0aa1099a3575

SHA1
e907e24431732b51a47f7d7e4027ec91e3aa75bf

SHA256
736da6c9f8350c9665f89570dc19b4d77c9a91cb57b45b1f2346ae18ee76cb0c

SHA512
3d769404969528b610a11fedfa8dcd4beb5c19b88fc3c9b483a28015c92ffceab32463e2aadabebc999feb65f4d0019c4e4bf1427c2c226f105222da59c402d4

Download Submit
C:\dfsQPArFx.README.txt

Filesize
423B

MD5
d86148ed11e9b3c389379a939fb8d17a

SHA1
a05aac18134cef66267fbdbaf86b8bcde17a09e3

SHA256
5684f35b256543644fa9accf0aba2909adf454640fe9d47822d9251f5de880f2

SHA512
a08375ff10572019d8d73de06158f7cbccf96a4e28dc8c646c55bda8248505a63f94d9bab54397af648b6768e9adfc79ee7fc4602796157397e988b7ad825949

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\DDDDDDDDDDD

Filesize
129B

MD5
83cf7d561e18751061284a3071f9b957

SHA1
42a70cb801be54e9da3f3a9383fdeba0d7bb3ea9

SHA256
97536d368e67975ea94623db06ac51213bb3417c20fcbcce1f7d0f16efe422c3

SHA512
3cd15e8fbdc28441d7f9e132f4e1135bc0205fea7d8e7a743401a9c5eb30327d62205a423471babe67270284b12294494a6e7259b4d049aa00d7d0505b61f48a

Download Submit
memory/1352-2-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download
memory/1352-1-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download
memory/1352-0-0x0000000003550000-0x0000000003560000-memory.dmp

Filesize
64KB

Download