Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 00:45
Behavioral task
behavioral1
Sample
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
-
Size
149KB
-
MD5
f28a75de3d39b47c7529146ea4195e6b
-
SHA1
0442ba2c8e9f585acbb4ab9f8f99ea84af729e86
-
SHA256
8732b3934981357a625f425af08731a6bb5fc00f3a957dd4518de98cf84d08d7
-
SHA512
ab2765f862a5a014a3f31f697fe1915778ab40c40cc25f66cc19c0a3bad546ca867649430a1b398ee48599e74be609d8ea76e52491c3294f507f505d4b3bb4a2
-
SSDEEP
3072:Z6glyuxE4GsUPnliByocWepTXD5R8yBq/a0vV0:Z6gDBGpvEByocWep1eyaa0vV0
Malware Config
Extracted
C:\Users\Admin\z9VLivqzH.README.txt
lockbit
https://twitter.com/hashtag/lockbit?f=live
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
Processes:
1796.tmppid process 2908 1796.tmp -
Executes dropped EXE 1 IoCs
Processes:
1796.tmppid process 2908 1796.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exepid process 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\z9VLivqzH.bmp" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\z9VLivqzH.bmp" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe1796.tmppid process 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2908 1796.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\z9VLivqzH\DefaultIcon\ = "C:\\ProgramData\\z9VLivqzH.ico" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z9VLivqzH 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z9VLivqzH\ = "z9VLivqzH" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\z9VLivqzH\DefaultIcon 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\z9VLivqzH 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exepid process 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
1796.tmppid process 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp 2908 1796.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeDebugPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: 36 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeImpersonatePrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeIncBasePriorityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeIncreaseQuotaPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: 33 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeManageVolumePrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeProfSingleProcessPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeRestorePrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSystemProfilePrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeTakeOwnershipPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeShutdownPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeDebugPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe1796.tmpdescription pid process target process PID 3012 wrote to memory of 2908 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 1796.tmp PID 3012 wrote to memory of 2908 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 1796.tmp PID 3012 wrote to memory of 2908 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 1796.tmp PID 3012 wrote to memory of 2908 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 1796.tmp PID 3012 wrote to memory of 2908 3012 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 1796.tmp PID 2908 wrote to memory of 2860 2908 1796.tmp cmd.exe PID 2908 wrote to memory of 2860 2908 1796.tmp cmd.exe PID 2908 wrote to memory of 2860 2908 1796.tmp cmd.exe PID 2908 wrote to memory of 2860 2908 1796.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\ProgramData\1796.tmp"C:\ProgramData\1796.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1796.tmp >> NUL3⤵PID:2860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD50817cc220a866ce6a8c20e36be65f928
SHA1d8a1786c8969a1dcca72db4e46e8317c03cf4422
SHA25610bf6920a4deefe4458cd6d7f7c73fa03c264f4b856088f792f8c29577898a88
SHA512075834ac463a881512eb3d7e4b71352bf45a55d8c0ece9d4ec49c0ee200f4bb32f5868189b1a38d6ba5cec691660c502779765e59a84eab25907c26698610494
-
Filesize
149KB
MD5bbd5de6febc728af7a9f8039fcb2442f
SHA152ee04700dbb70e096412917dd45033ffaea0153
SHA25649ea955576b153152372582a0866498e50fbc894d48c658402933926ffd37c81
SHA5123df1d5a1340b5224266efb11d34c32f4acb916fd8facb50bc8030c1770d3d6a64152f115edf119e9cb8f356517264f7458c7c63364f88ac47272c474eb921f99
-
Filesize
2KB
MD5db54ef7fcad3bea4d20c8e06f051e2e0
SHA19bdc405763cb34d3e06f8eeac8fab8807495a15e
SHA25610fa497a565b006d336b1c02f9bc1fcb799559d2f2b699cc78dcf5cf3991e6f7
SHA5126ac1283aaeac11611ad6a06aa8ee5bd55a8110e072539407c058c467c52ed255cd152ab9d282ebb460db8b4414e39bffdb3e180943f2311411e19b06b07b059b
-
Filesize
129B
MD5f0628149bb0e148b335886c978481467
SHA16894701a12246c4ad32ab55563b56584137f061a
SHA2563792718679a60e153fad3eeab98052760ecb17c2ac897758e7d1cb22f14d1944
SHA512ee46766e87eab9ba07b28f7080deb9300a825effc12a27b70a9f0e64f610a4d8be0e91c600f5276b5491ba0f8c01e698dcd12f9d8b912c949c4bac4c7ecad64a
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf