Analysis

  • max time kernel
    121s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2024 00:45

General

  • Target

    2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe

  • Size

    149KB

  • MD5

    f28a75de3d39b47c7529146ea4195e6b

  • SHA1

    0442ba2c8e9f585acbb4ab9f8f99ea84af729e86

  • SHA256

    8732b3934981357a625f425af08731a6bb5fc00f3a957dd4518de98cf84d08d7

  • SHA512

    ab2765f862a5a014a3f31f697fe1915778ab40c40cc25f66cc19c0a3bad546ca867649430a1b398ee48599e74be609d8ea76e52491c3294f507f505d4b3bb4a2

  • SSDEEP

    3072:Z6glyuxE4GsUPnliByocWepTXD5R8yBq/a0vV0:Z6gDBGpvEByocWep1eyaa0vV0

Malware Config

Extracted

Path

C:\Users\Admin\z9VLivqzH.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: BFDE7C305BA929B06C26CF6EDF44A054E8D35378E7C3A603A15313F285B99E5EED08EC4E3FC4 XMPP (Jabber) Support: [email protected] >>>> Your personal DECRYPTION ID: 99CFA9F060AB07458650C45F0BC2A726 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: BFDE7C305BA929B06C26CF6EDF44A054E8D35378E7C3A603A15313F285B99E5EED08EC4E3FC4 XMPP (Jabber) Support: [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser
URLs

https://twitter.com/hashtag/lockbit?f=live

https://tox.chat/download.html

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\ProgramData\1796.tmp
      "C:\ProgramData\1796.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1796.tmp >> NUL
        3⤵
          PID:2860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini

      Filesize

      129B

      MD5

      0817cc220a866ce6a8c20e36be65f928

      SHA1

      d8a1786c8969a1dcca72db4e46e8317c03cf4422

      SHA256

      10bf6920a4deefe4458cd6d7f7c73fa03c264f4b856088f792f8c29577898a88

      SHA512

      075834ac463a881512eb3d7e4b71352bf45a55d8c0ece9d4ec49c0ee200f4bb32f5868189b1a38d6ba5cec691660c502779765e59a84eab25907c26698610494

    • C:\Users\Admin\AppData\Local\Temp\UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

      Filesize

      149KB

      MD5

      bbd5de6febc728af7a9f8039fcb2442f

      SHA1

      52ee04700dbb70e096412917dd45033ffaea0153

      SHA256

      49ea955576b153152372582a0866498e50fbc894d48c658402933926ffd37c81

      SHA512

      3df1d5a1340b5224266efb11d34c32f4acb916fd8facb50bc8030c1770d3d6a64152f115edf119e9cb8f356517264f7458c7c63364f88ac47272c474eb921f99

    • C:\Users\Admin\z9VLivqzH.README.txt

      Filesize

      2KB

      MD5

      db54ef7fcad3bea4d20c8e06f051e2e0

      SHA1

      9bdc405763cb34d3e06f8eeac8fab8807495a15e

      SHA256

      10fa497a565b006d336b1c02f9bc1fcb799559d2f2b699cc78dcf5cf3991e6f7

      SHA512

      6ac1283aaeac11611ad6a06aa8ee5bd55a8110e072539407c058c467c52ed255cd152ab9d282ebb460db8b4414e39bffdb3e180943f2311411e19b06b07b059b

    • F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      f0628149bb0e148b335886c978481467

      SHA1

      6894701a12246c4ad32ab55563b56584137f061a

      SHA256

      3792718679a60e153fad3eeab98052760ecb17c2ac897758e7d1cb22f14d1944

      SHA512

      ee46766e87eab9ba07b28f7080deb9300a825effc12a27b70a9f0e64f610a4d8be0e91c600f5276b5491ba0f8c01e698dcd12f9d8b912c949c4bac4c7ecad64a

    • \ProgramData\1796.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/2908-870-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/2908-892-0x00000000003B0000-0x00000000003F0000-memory.dmp

      Filesize

      256KB

    • memory/2908-895-0x00000000003B0000-0x00000000003F0000-memory.dmp

      Filesize

      256KB

    • memory/2908-896-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/2908-897-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/2908-903-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/2908-904-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

    • memory/3012-0-0x0000000002150000-0x0000000002190000-memory.dmp

      Filesize

      256KB