Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 20:27

General

  • Target

    2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe

  • Size

    148KB

  • MD5

    52d4594deedeb91119fe521913a00d63

  • SHA1

    6fe557247936badebc8676248275cd2f00106655

  • SHA256

    74090a22f4713933e21739eb08a99705407554ff204201829894ab38405644f6

  • SHA512

    39c3e13a6982e3368fe4045b836b79398c3a0e9ce1239370e9d084ef9aed0041d9794c2bf2c511343f98fe041139f052a52f5b52437c3259267baf59d8837f69

  • SSDEEP

    3072:7qJogYkcSNm9V7D105NoSUhIhI8YoXXjT:7q2kc4m9tD1Sy1oH

Malware Config

Extracted

Path

C:\QO5k5RIUs.README.txt

Ransom Note
~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> How to pay to get the decryptor? You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: 8B87E170009F89205E2BC9479BA0BAB4 Our Bitcoin payment address: bc1q43rlc0qscd4xh2p5xxk2hnqtd4qrg4c9sn3f84 The amount to pay: 200.00$ Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information? Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!
URLs

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Renames multiple (577) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\ProgramData\5488.tmp
      "C:\ProgramData\5488.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5488.tmp >> NUL
        3⤵
          PID:4788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\VVVVVVVVVVV

      Filesize

      129B

      MD5

      b0ba0c215c2801a48a5fe72f03f522df

      SHA1

      740ae90be98edcb6678a282f364d183577f49a4e

      SHA256

      722659c5cd315a48d64f326d427515b285ff480e5400dcbb5a9c45c9907a6cee

      SHA512

      0d47b6cb66ccc0b6b514dda66abd92d2f5bb0d2f43e5547b4071dfaaedde269f77800b5044b18fd37fa1957c840c1d6903c5368ef759ad47a3f06b48e3f0087a

    • C:\ProgramData\5488.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\QO5k5RIUs.README.txt

      Filesize

      2KB

      MD5

      969eefd53ce46f724b4c45f426b28f70

      SHA1

      cc626fa772b4b79af2cebe56cfb4cbef63d31544

      SHA256

      c2431ae1310671c5c7e13d005e0b9c53f17bafa31fe2d75f6bd645f7deeb01b1

      SHA512

      85f745c97e569e3b8afcb2547bb6b47b05345bb2d2bf8874c67e873f412a1be95ab46264db030856b959309efb9cc31dbca227eaa80cfa68d8e7a0d74aff72b8

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      148KB

      MD5

      d31ed902e8f83cb80f4f63b21767680f

      SHA1

      70c3e53964f179247e12564b1025b9d6f07f517b

      SHA256

      713135b6817cb131443f0acd6fc961aad7345b53b8a28f4f0024f4b792151b57

      SHA512

      f4acceadc692b959a4ead197b14bd72e5bae7afc663d48d07e7c9a47b4894cc1fd5c5c0de7f742cbdf3167c82b737f8dbb61fa2885bf08356df1e74e507ae448

    • F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      ef8198f13e7836e22c2a394984d95d8b

      SHA1

      2abf24245c0a3fbffff1aece224c3e701f6b7907

      SHA256

      2a366cad9969f32877230598cf5d4a865722fca161cd6d540fed5a4d7fbd003f

      SHA512

      1514f23728436c8fcaea875cdd667b9b88537a8e73308be0100a8b51e3dcdd92f5ac3beedea9ebf2de9a9989f7480e062cb0866f2cfe3f470ecec46e0dc6d786

    • memory/1320-2731-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

    • memory/1320-2732-0x0000000002470000-0x0000000002480000-memory.dmp

      Filesize

      64KB

    • memory/1320-2733-0x0000000002470000-0x0000000002480000-memory.dmp

      Filesize

      64KB

    • memory/1320-2734-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

    • memory/1320-2735-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

    • memory/1320-2764-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

    • memory/1320-2765-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

    • memory/2112-1-0x0000000001190000-0x00000000011A0000-memory.dmp

      Filesize

      64KB

    • memory/2112-0-0x0000000001190000-0x00000000011A0000-memory.dmp

      Filesize

      64KB

    • memory/2112-2-0x0000000001190000-0x00000000011A0000-memory.dmp

      Filesize

      64KB