Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 21:32

General

  • Target

    2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe

  • Size

    156KB

  • MD5

    75e3d908fdddee413481dba88258783b

  • SHA1

    4cd6c1a88f3575d298aa168356651d5237bb72ab

  • SHA256

    36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4

  • SHA512

    d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256

  • SSDEEP

    3072:ZfDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33686plZG1kqxSb6W:ZB5d/zugZqll32rZ2txSb

Score
10/10

Malware Config

Extracted

Path

C:\Users\O957g99QW.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 27E1278B16C094FDBEA32DFAFEBF9AF6 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (158) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-12_75e3d908fdddee413481dba88258783b_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1616
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\AAAAAAAAAAA

    Filesize

    129B

    MD5

    0e5c609d490e26b9bf84e52b2e025c51

    SHA1

    957153d4df570dadbad1e64f69405a0d3d5580e2

    SHA256

    b3a551d6c36609ff7282e8f64995308d4e060e26a4f72c423e94fa917534f6b8

    SHA512

    ae08f29c4775fd94587c384304f2f84b27b577633674a267e8057c1045fbca75e23c23893dea79b734ae7d7ec16693828d8ef152c706724b9bb2b21115bba006

  • C:\Users\O957g99QW.README.txt

    Filesize

    3KB

    MD5

    1d359e2243649cb97fc92ab9b6f02321

    SHA1

    909542af4d62c800be87dd40fd67f17c6167cd9a

    SHA256

    0ca2802f2b7dc5c1678bffdd140368380f7c42cd6ed9df079adcdb2dbd1666b4

    SHA512

    c3d4fc76f45f37ddc7c071ba6bb86f8ed8c3d8449bb5371a2bfc807d408a1947d745b281c08c65ab246a7da70a3f31cb2c60a29a31577344e14be89d694f04fb

  • F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    cfde14dd4ee675d35cd60385fbb32fab

    SHA1

    c2fcd7d3d0592ab548b2f84eb3920da58f7c1d81

    SHA256

    b14774db4944af0294a80fa83095271f10544649c74a668fe6f5dcc436a42d1a

    SHA512

    d16da60fcdd94dab8c96584e90f7136172f1f04b5805b0f5d05706728c91f02e248b720a46ab71bbcd1b0c43f2669a1459847860ab3086d65d506064f6ca56c1

  • memory/1616-0-0x0000000001320000-0x0000000001330000-memory.dmp

    Filesize

    64KB

  • memory/1616-1-0x0000000001320000-0x0000000001330000-memory.dmp

    Filesize

    64KB

  • memory/1616-2-0x0000000001320000-0x0000000001330000-memory.dmp

    Filesize

    64KB

  • memory/1616-310-0x0000000001320000-0x0000000001330000-memory.dmp

    Filesize

    64KB

  • memory/1616-311-0x0000000001320000-0x0000000001330000-memory.dmp

    Filesize

    64KB

  • memory/1616-312-0x0000000001320000-0x0000000001330000-memory.dmp

    Filesize

    64KB