Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 00:45
Behavioral task
behavioral1
Sample
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
-
Size
149KB
-
MD5
f28a75de3d39b47c7529146ea4195e6b
-
SHA1
0442ba2c8e9f585acbb4ab9f8f99ea84af729e86
-
SHA256
8732b3934981357a625f425af08731a6bb5fc00f3a957dd4518de98cf84d08d7
-
SHA512
ab2765f862a5a014a3f31f697fe1915778ab40c40cc25f66cc19c0a3bad546ca867649430a1b398ee48599e74be609d8ea76e52491c3294f507f505d4b3bb4a2
-
SSDEEP
3072:Z6glyuxE4GsUPnliByocWepTXD5R8yBq/a0vV0:Z6gDBGpvEByocWep1eyaa0vV0
Malware Config
Extracted
C:\z9VLivqzH.README.txt
lockbit
https://twitter.com/hashtag/lockbit?f=live
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exepid process 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\z9VLivqzH\DefaultIcon\ = "C:\\ProgramData\\z9VLivqzH.ico" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z9VLivqzH 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z9VLivqzH\ = "z9VLivqzH" 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\z9VLivqzH\DefaultIcon 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\z9VLivqzH 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exepid process 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeDebugPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: 36 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeImpersonatePrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeIncBasePriorityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeIncreaseQuotaPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: 33 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeManageVolumePrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeProfSingleProcessPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeRestorePrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSystemProfilePrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeTakeOwnershipPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeShutdownPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeDebugPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeBackupPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe Token: SeSecurityPrivilege 2612 2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_f28a75de3d39b47c7529146ea4195e6b_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD56415508a4eace0407d66957910bf121f
SHA145422a83be67cec21ea199c6fb16489e5007388f
SHA256cb5f355cc32a9c2ebb946d35246bee7bb93e59bb13b23a2926ffb6974e0d29a5
SHA5123bc1623a8703557882bd0a058e87d430bf258c6a9731f171ec7d98428fb30d0b784a80775edef7fe7b6223347dfd626c00b1efab8853e479fe58dc97a8c19fb9
-
Filesize
2KB
MD531b33dc2926af4e46899e5bb4568a893
SHA17098cce13c2430c31f86434dbc7af8f265fdc841
SHA25611e36014dcaa851f35ddd153fb29bfa0f7c2864ef60e6e55ce9884cccc11fe38
SHA512f2bdaa4fcdb39afbb8c7a82ec6ee3121705576a68ea9d56d0096bac73c07eff511606e63f860ebe3224df378a60b224640a3d709486a09d58679648342e3af4a
-
Filesize
129B
MD57684b78fd37b870f6d57d39b363d9a15
SHA17faf010fcc4635faffb3e158a7ce820724842ec6
SHA2563292c118268b5de28e4bdef6550c3310302e2b2927acfbace938d3578dcf0bf1
SHA51297a240280e5f0490445acf88c2532981e5e4ead5b5e58b73efb5cbdb05bd54e01fbc02245a456b1f70246672a1ef31b6ba848954d46c70bfc4f428a2cc5ff95c