General
-
Target
2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside
-
Size
149KB
-
Sample
240226-tywyqsae55
-
MD5
2cfd21f10de8f364adb52547229cb26d
-
SHA1
b2d8c83dbdc5a76d6ac478e2a64cbaf8d57a250b
-
SHA256
a340d3ddacb9a9890f94c995510611099a682cf482323b6fd9922c2311c93782
-
SHA512
fa33e73c738577cb63ae02c08673d33fc5262493be80fbba2607caf5cc74468bcec8a424fc35f156502eef3d1b05ab722646d16bb376f27fb330963dad31a228
-
SSDEEP
3072:Z6glyuxE4GsUPnliByocWeps5t83wvOe9Jmn7cKU:Z6gDBGpvEByocWey5t83he9y
Behavioral task
behavioral1
Sample
2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe
Resource
win10v2004-20240221-en
Malware Config
Extracted
C:\5HUsXQO5d.README.txt
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupp.uz
https://tox.chat/download.html
Extracted
C:\5HUsXQO5d.README.txt
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupp.uz
https://tox.chat/download.html
Targets
-
-
Target
2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside
-
Size
149KB
-
MD5
2cfd21f10de8f364adb52547229cb26d
-
SHA1
b2d8c83dbdc5a76d6ac478e2a64cbaf8d57a250b
-
SHA256
a340d3ddacb9a9890f94c995510611099a682cf482323b6fd9922c2311c93782
-
SHA512
fa33e73c738577cb63ae02c08673d33fc5262493be80fbba2607caf5cc74468bcec8a424fc35f156502eef3d1b05ab722646d16bb376f27fb330963dad31a228
-
SSDEEP
3072:Z6glyuxE4GsUPnliByocWeps5t83wvOe9Jmn7cKU:Z6gDBGpvEByocWey5t83he9y
Score10/10-
Renames multiple (360) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-