Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 21:32
Behavioral task
behavioral1
Sample
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe
-
Size
156KB
-
MD5
75e3d908fdddee413481dba88258783b
-
SHA1
4cd6c1a88f3575d298aa168356651d5237bb72ab
-
SHA256
36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4
-
SHA512
d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256
-
SSDEEP
3072:ZfDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33686plZG1kqxSb6W:ZB5d/zugZqll32rZ2txSb
Malware Config
Extracted
C:\Users\O957g99QW.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Renames multiple (158) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exepid process 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon\ = "C:\\ProgramData\\O957g99QW.ico" 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW\ = "O957g99QW" 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exepid process 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeDebugPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: 36 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeImpersonatePrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeIncBasePriorityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeIncreaseQuotaPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: 33 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeManageVolumePrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeProfSingleProcessPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeRestorePrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSystemProfilePrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeTakeOwnershipPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeShutdownPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeDebugPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 2948 vssvc.exe Token: SeRestorePrivilege 2948 vssvc.exe Token: SeAuditPrivilege 2948 vssvc.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeSecurityPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe Token: SeBackupPrivilege 1616 2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50e5c609d490e26b9bf84e52b2e025c51
SHA1957153d4df570dadbad1e64f69405a0d3d5580e2
SHA256b3a551d6c36609ff7282e8f64995308d4e060e26a4f72c423e94fa917534f6b8
SHA512ae08f29c4775fd94587c384304f2f84b27b577633674a267e8057c1045fbca75e23c23893dea79b734ae7d7ec16693828d8ef152c706724b9bb2b21115bba006
-
Filesize
3KB
MD51d359e2243649cb97fc92ab9b6f02321
SHA1909542af4d62c800be87dd40fd67f17c6167cd9a
SHA2560ca2802f2b7dc5c1678bffdd140368380f7c42cd6ed9df079adcdb2dbd1666b4
SHA512c3d4fc76f45f37ddc7c071ba6bb86f8ed8c3d8449bb5371a2bfc807d408a1947d745b281c08c65ab246a7da70a3f31cb2c60a29a31577344e14be89d694f04fb
-
Filesize
129B
MD5cfde14dd4ee675d35cd60385fbb32fab
SHA1c2fcd7d3d0592ab548b2f84eb3920da58f7c1d81
SHA256b14774db4944af0294a80fa83095271f10544649c74a668fe6f5dcc436a42d1a
SHA512d16da60fcdd94dab8c96584e90f7136172f1f04b5805b0f5d05706728c91f02e248b720a46ab71bbcd1b0c43f2669a1459847860ab3086d65d506064f6ca56c1