General
-
Target
2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside
-
Size
148KB
-
Sample
240225-wf48haad5t
-
MD5
cd7d7812314f54d00bd58b2992e2c266
-
SHA1
225d4a29632b516b9a4a109f866b3e90e6269c8d
-
SHA256
b14a55a5dbc52dc58ee5447ced1caaac304e77aca7b5805a25456e2c2338309f
-
SHA512
a91bf135f00f2d67271a5d2aa8e6b9c65a58b5a3d10e83f30019e63d25eec44f9e9aa24cccde38f12a6be25fe26b7076ff13a1bf987f742d250f75945a2d9664
-
SSDEEP
3072:h6glyuxE4GsUPnliByocWepkj1CHnAZRru:h6gDBGpvEByocWeG1W
Behavioral task
behavioral1
Sample
2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe
Resource
win10v2004-20240221-en
Malware Config
Extracted
C:\Huq5PATQS.README.txt
https://twitter.com/hashtag/lockbit?f=live
Extracted
C:\Huq5PATQS.README.txt
https://twitter.com/hashtag/lockbit?f=live
Targets
-
-
Target
2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside
-
Size
148KB
-
MD5
cd7d7812314f54d00bd58b2992e2c266
-
SHA1
225d4a29632b516b9a4a109f866b3e90e6269c8d
-
SHA256
b14a55a5dbc52dc58ee5447ced1caaac304e77aca7b5805a25456e2c2338309f
-
SHA512
a91bf135f00f2d67271a5d2aa8e6b9c65a58b5a3d10e83f30019e63d25eec44f9e9aa24cccde38f12a6be25fe26b7076ff13a1bf987f742d250f75945a2d9664
-
SSDEEP
3072:h6glyuxE4GsUPnliByocWepkj1CHnAZRru:h6gDBGpvEByocWeG1W
Score10/10-
Renames multiple (327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-