Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 14:09
Behavioral task
behavioral1
Sample
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe
Resource
win10v2004-20240221-en
General
-
Target
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe
-
Size
153KB
-
MD5
cf7a4ade9a9e486220fad73ee3de22cc
-
SHA1
1b3a6abe0ca317e68b41a9dc9dc27a0687bf05c3
-
SHA256
fc073ee5e385a148e0f4d0fd9c1af696d16bd6c8d3507a98d409c2eda858ce23
-
SHA512
b7483f65d659ad3d6f486e870805c849dabb258073c55a49a6cdc04d8911321c53edc9424e8b9c11ad4823d12120b689c1bb53d4e39aea1882608f59124b3bb2
-
SSDEEP
3072:FqJogYkcSNm9V7DFOpw0dq7UMrVD59WO+ZYfjET:Fq2kc4m9tDFEw0dqLVD5U/ij
Malware Config
Extracted
C:\MCgwFy7Y6.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (304) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
A380.tmppid Process 2720 A380.tmp -
Executes dropped EXE 1 IoCs
Processes:
A380.tmppid Process 2720 A380.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exepid Process 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\MCgwFy7Y6.bmp" 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\MCgwFy7Y6.bmp" 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
A380.tmppid Process 2720 A380.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MCgwFy7Y6 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MCgwFy7Y6\ = "MCgwFy7Y6" 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MCgwFy7Y6\DefaultIcon 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MCgwFy7Y6 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MCgwFy7Y6\DefaultIcon\ = "C:\\ProgramData\\MCgwFy7Y6.ico" 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exepid Process 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
A380.tmppid Process 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp 2720 A380.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeDebugPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: 36 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeImpersonatePrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeIncBasePriorityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeIncreaseQuotaPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: 33 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeManageVolumePrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeProfSingleProcessPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeRestorePrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSystemProfilePrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeTakeOwnershipPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeShutdownPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeDebugPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeBackupPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe Token: SeSecurityPrivilege 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exeA380.tmpdescription pid Process procid_target PID 2912 wrote to memory of 2720 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 30 PID 2912 wrote to memory of 2720 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 30 PID 2912 wrote to memory of 2720 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 30 PID 2912 wrote to memory of 2720 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 30 PID 2912 wrote to memory of 2720 2912 2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe 30 PID 2720 wrote to memory of 1672 2720 A380.tmp 31 PID 2720 wrote to memory of 1672 2720 A380.tmp 31 PID 2720 wrote to memory of 1672 2720 A380.tmp 31 PID 2720 wrote to memory of 1672 2720 A380.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-21_cf7a4ade9a9e486220fad73ee3de22cc_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\ProgramData\A380.tmp"C:\ProgramData\A380.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A380.tmp >> NUL3⤵PID:1672
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5039442881062c282b413b3da1efe1064
SHA1c623667d9531727ea1aeb5cce2edca4b6bdcd646
SHA256b882f125b30f0c922a0dea8c8c3e98d67627bd4da113b094d9ca6ab832b46ac9
SHA512cd39fa4f7cbb4b011a6068fa2dd8a1c7e63ece98a6355a2d4fadaad52ecbc1eda99aeba80d3f64eefb06b12df240124e0e370ef4078c0195e68141b92795b59e
-
Filesize
6KB
MD597b69ab406fdf1da75765b8ec8c7ab11
SHA1fcb026f4ffaca4b21c8b5d03c0761b15c1aae0c5
SHA256df79765c8a3f8c4d7a640446340b49fc460f48223456289ff080d70454dbebc9
SHA5124c4d5625deb4dcf3bd17e0d25120b511e5ca02af7edd6eac8261ee1610bb174aa7f774d30adaf851eaa5cf3540f359b465bb03fc0c1d29f3e33931a1506fc90c
-
Filesize
153KB
MD5829e5d1d3b37caec9b6968b648608682
SHA1db26ee8f2343a452ba4c59130106e2f560ca433c
SHA2562ee0cbd7441a9f5266298cc8ea4c513005c2bea17a4d768abba8867ff22bc7fc
SHA512a4ff3da18a8e0652d54aa39d2a157adc09de0ddeb8d8a2e259d95f0407890e12c806d92e005e13705f56e515c200a395f0bf5391bcb627e0138aa228f1fdca4f
-
Filesize
129B
MD56157c1506c85ed7e081dc90fd7ec80a3
SHA14ed7f1bcc51b406bd046866427c293489b7c656c
SHA256012002ca6ba7cc1c6cede523edd6e0e358e14792721d932a063cd761e16ecb3e
SHA512351957b9f895afcd0fd9533e5e9c82711939184b5df233b0714a5ef798a7e999059d11501b79b333e47b5f10b2603125458d1959ef67837d999fb193ca311e43
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf