General

  • Target

    2024-02-24_4fde0fbcfdfcb2f4ff22cf7e15d5718d_darkside

  • Size

    1.2MB

  • Sample

    240224-c6ntnaff8y

  • MD5

    4fde0fbcfdfcb2f4ff22cf7e15d5718d

  • SHA1

    c488c491e4248941d5a22b66ca2c096e4fa8270f

  • SHA256

    0447c931bb8efc6dc531f69a891f2a0f28a85a18b25e04366fdb59bf827b2eb1

  • SHA512

    9bca7790b48b51beb49978bb46d3c078c25bd5b4d7a397e9bfb16ad51b7648bf44c755c3e56b3f52f1ea133ca8388f92e0b4a308b6fd8b1af39893a6e53d4272

  • SSDEEP

    24576:ZNxSJslvwqeH5TDdy6gGYXI152bFYEGsMOPRgH8vt+t7d1LeEqotPntpMWhP+c3O:ZbJ7IaOac4Mn3tAjXLz

Malware Config

Extracted

Path

C:\Users\Admin\xa1Xx3AXs.README.txt

Ransom Note
~~~ LockBit 4.0 Ransomware since 2024~~~ >>>> Your data are stolen and encrypted Price = 1000 $ Bitcoin = 328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2 Email = [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: A3138014A48684D6D525F3F372263313 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Wallets

328N9mKT6xFe6uTvtpxeKSymgWCbbTGbK2

Targets

    • Target

      2024-02-24_4fde0fbcfdfcb2f4ff22cf7e15d5718d_darkside

    • Size

      1.2MB

    • MD5

      4fde0fbcfdfcb2f4ff22cf7e15d5718d

    • SHA1

      c488c491e4248941d5a22b66ca2c096e4fa8270f

    • SHA256

      0447c931bb8efc6dc531f69a891f2a0f28a85a18b25e04366fdb59bf827b2eb1

    • SHA512

      9bca7790b48b51beb49978bb46d3c078c25bd5b4d7a397e9bfb16ad51b7648bf44c755c3e56b3f52f1ea133ca8388f92e0b4a308b6fd8b1af39893a6e53d4272

    • SSDEEP

      24576:ZNxSJslvwqeH5TDdy6gGYXI152bFYEGsMOPRgH8vt+t7d1LeEqotPntpMWhP+c3O:ZbJ7IaOac4Mn3tAjXLz

    • Detects executables packed with BoxedApp

    • Renames multiple (8925) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks