General

  • Target

    2024-02-24_4fb4a10158fe5415e8e9468ec2d0dbbc_darkside

  • Size

    146KB

  • Sample

    240224-2cs9qagf6v

  • MD5

    4fb4a10158fe5415e8e9468ec2d0dbbc

  • SHA1

    095a4dd380e86c9d1e6ea0263368b908ee0e1d5d

  • SHA256

    b8c53972ca8e7c683183a34b5a4e17f04d9bca80d8d2e156e99fb8973d41f6b9

  • SHA512

    7092460ecf28dc9202481ba0849a8eb87cae92d9fff7b157e600ee219939d1bf7c534cd3a12ecab4c70e28c313a9f3413ae75398168aed8253147f3db5782b1e

  • SSDEEP

    3072:EqJogYkcSNm9V7DR9+kanoBQOvBEEnbNgT:Eq2kc4m9tDR9lhv+EnJ

Malware Config

Extracted

Path

C:\8O1xgE2fH.README.txt

Ransom Note
~~~ LockBit Black Ransomware Since 2024~~~ >>>> Your data are stolen and encrypted Price = 2000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: A3138014A48MK4D6D525F3F372263313 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Targets

    • Target

      2024-02-24_4fb4a10158fe5415e8e9468ec2d0dbbc_darkside

    • Size

      146KB

    • MD5

      4fb4a10158fe5415e8e9468ec2d0dbbc

    • SHA1

      095a4dd380e86c9d1e6ea0263368b908ee0e1d5d

    • SHA256

      b8c53972ca8e7c683183a34b5a4e17f04d9bca80d8d2e156e99fb8973d41f6b9

    • SHA512

      7092460ecf28dc9202481ba0849a8eb87cae92d9fff7b157e600ee219939d1bf7c534cd3a12ecab4c70e28c313a9f3413ae75398168aed8253147f3db5782b1e

    • SSDEEP

      3072:EqJogYkcSNm9V7DR9+kanoBQOvBEEnbNgT:Eq2kc4m9tDR9lhv+EnJ

    • Renames multiple (8892) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks