Analysis

  • max time kernel
    139s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 19:21

General

  • Target

    2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe

  • Size

    156KB

  • MD5

    0878876cddf35120735b78b595026fd4

  • SHA1

    6d1a48b1f6ad210570c44392654870152b493efd

  • SHA256

    2038b782c400aa80ebf5089ac0138b7c811e43d39b6642a7ca065fc59dde054c

  • SHA512

    69d8c1976533cd7e1d1e9f7de019959770deb17e28d831c4be42e623ab3ff10e924dd29b19d3028eea2ea581ed161eb574d49f81c41a167d18c6486adfa1821b

  • SSDEEP

    3072:2DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368CmFx8WGWWqM2n5ggVGv5W:Q5d/zugZqll3t1nek

Score
10/10

Malware Config

Extracted

Path

C:\Users\irpHHEyS0.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: C1254070A41B70A9CFA1D5ACF2F5E707 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

Signatures

  • Renames multiple (7609) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_0878876cddf35120735b78b595026fd4_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\ProgramData\ADBD.tmp
      "C:\ProgramData\ADBD.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:540
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:908
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x154
    1⤵
      PID:2824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\BBBBBBBBBBB

      Filesize

      129B

      MD5

      9eae36e218700600dd3f40333a87fe80

      SHA1

      8fe10c8ef1cff5d6ccb9d96a5dc65af87e58f96e

      SHA256

      2958d2187768ce8eee4248f998096ad7576076b1af3bca1ade4963b916df1691

      SHA512

      5c9d8ccb46fc63b72b9a002bebfe12335c3446128cd379e8a5e242d8095b3b5b8fab87e3b5426272047b287bccc7f56d559cceb05f5afee0eecf1df885104c71

    • C:\Users\Admin\AppData\Local\Temp\IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII

      Filesize

      28KB

      MD5

      4b59e824a2e060ca8f067a74ea5bef4c

      SHA1

      e7bdf4b434973c7f83d903b2588d65d3a22dfe96

      SHA256

      db7b38b6230885b462f6eed8aadf9c0cea332e66f7b5d4a28cd7a4329130daa6

      SHA512

      55bc6a5c30a97fc86f27da4321c1b6ac6ab61ba1023b7be81cc4e16f7b2fbed84861e1cea3658098321c432b7d3358e9828ea0eb929def5b6cfb30b9d9934524

    • C:\Users\irpHHEyS0.README.txt

      Filesize

      3KB

      MD5

      2b1c45a3d04bb8f9388165562a1b3bd7

      SHA1

      745aa08f7fb10e67868db8fe5dea89a237a91a87

      SHA256

      03d0a1852f40bda9dd3a4f6cfe635544f4559965d2c2be0234696a5900b3b451

      SHA512

      8cc8fef1527a761416da658e99da5167e59bda30c47a6a1b2c14478d6615309b3536d193c4021d19a93444ba231a432dcdf8074010275494b070f8e89995f9cb

    • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      f2949c673b5d5e409b6f6700d0815828

      SHA1

      e7868d8de0a035c32fc2f51d2d29a718c7c0d6da

      SHA256

      9e92effeb0a1795d15b96d8aa07120110fb74c8f5c9ce1cad12bf570862a2bb3

      SHA512

      3bd7d3022efda0eeb79c07bedc4950b8bd2f2540f6fbb86ea77f773de5d10642e10546ca6186fe9419ca77e2a32c3fde534f7609326d6eddbf4b1eedea124205

    • \ProgramData\ADBD.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/540-11288-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/540-11289-0x0000000002360000-0x00000000023A0000-memory.dmp

      Filesize

      256KB

    • memory/540-11293-0x0000000002360000-0x00000000023A0000-memory.dmp

      Filesize

      256KB

    • memory/540-11303-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/540-11305-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/2456-0-0x0000000000120000-0x0000000000160000-memory.dmp

      Filesize

      256KB