Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 09:38
Behavioral task
behavioral1
Sample
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe
-
Size
156KB
-
MD5
b927dd845c06e97594ffbc299f624eec
-
SHA1
b22dd1fee007b95ddef5f30c41891e25a30f5a96
-
SHA256
5e006f895382525e762a33e5dd5e8416bef56ae859f5e96f820cfba5c4c11226
-
SHA512
53e55d0378f4609bb521a6b34a717510d147175c189065dfa3e547e9d65bccda85ca30b262b6cc718544c1709d7058172af2d755884b500b73c942e08666a4db
-
SSDEEP
3072:GDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+K3PvFQpr5S8JSG7Is1g2mxn:g5d/zugZqll37fqjSyJcTO
Malware Config
Extracted
C:\Users\lee4RKPOu.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Renames multiple (151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
1A25.tmppid process 1612 1A25.tmp -
Executes dropped EXE 1 IoCs
Processes:
1A25.tmppid process 1612 1A25.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exepid process 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\lee4RKPOu.bmp" 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\lee4RKPOu.bmp" 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe1A25.tmppid process 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lee4RKPOu 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lee4RKPOu\DefaultIcon\ = "C:\\ProgramData\\lee4RKPOu.ico" 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lee4RKPOu 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lee4RKPOu\ = "lee4RKPOu" 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lee4RKPOu\DefaultIcon 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exepid process 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
1A25.tmppid process 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp 1612 1A25.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeDebugPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: 36 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeImpersonatePrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeIncBasePriorityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeIncreaseQuotaPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: 33 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeManageVolumePrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeProfSingleProcessPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeRestorePrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSystemProfilePrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeTakeOwnershipPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeShutdownPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeDebugPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeSecurityPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe Token: SeBackupPrivilege 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe1A25.tmpdescription pid process target process PID 2412 wrote to memory of 1612 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 1A25.tmp PID 2412 wrote to memory of 1612 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 1A25.tmp PID 2412 wrote to memory of 1612 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 1A25.tmp PID 2412 wrote to memory of 1612 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 1A25.tmp PID 2412 wrote to memory of 1612 2412 2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe 1A25.tmp PID 1612 wrote to memory of 2236 1612 1A25.tmp cmd.exe PID 1612 wrote to memory of 2236 1612 1A25.tmp cmd.exe PID 1612 wrote to memory of 2236 1612 1A25.tmp cmd.exe PID 1612 wrote to memory of 2236 1612 1A25.tmp cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b927dd845c06e97594ffbc299f624eec_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\1A25.tmp"C:\ProgramData\1A25.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1A25.tmp >> NUL3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.iniFilesize
129B
MD55e8508819975de7a29606a54bf54430f
SHA1386a77b42b6f32d5bfb501343833679a73e034d6
SHA2568387de03ef1c30248a193d0422d84917cbe627cc356006fc73fe74517f1275fc
SHA51261a37f964c591ecf3d64945301ce2c89bd65d6609b7972240bd4f85457edc6ef47c9f624d109abafea8f95482ea981d2b14201e07425a294c751fc7e13b4ded2
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDFilesize
156KB
MD5bd0fab9ff8f6b05d14e14685cc9488e5
SHA14358fde8fec110af45f4ef15fab54b7bc81b0f54
SHA256d3afe631e207d263f6b16fae2a71da67ff870205350f28a1c1fc94bca52262f9
SHA51216f0b9085594f517fe9533cfc115702479394ae696ed622f5be06b168cf06c46bbf1c6b9de959f8cf06780dd5cc75ba48bf6545effe0293aefef3026141e8f71
-
C:\Users\lee4RKPOu.README.txtFilesize
2KB
MD514c330092a41f34c63253d1280857da1
SHA15c2f2df55c2f20b05be82d56b5aae3175ac3ea89
SHA256ff435771961f4cc48367ca315cedb76e17247cf46875b55d7c6bad412fcb4c62
SHA512a2a5006b723ea5f1cc200cbdc39a318967b0f0ac4dcf2050dc12bd0681a69ddeaeb466f365eb7a2832cbf6bb47dca65196e96f068eb48a2b929b33eba1d241b4
-
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDDFilesize
129B
MD53301f021d052085d27fc47daf64f64dd
SHA1ad154a77f3484d05a8fc7803eca8a497517782cc
SHA25604e322a5d89e24fec36a8fbdfd3c08d3c9eba62144d78d5cb74550d7ff08c863
SHA512f69885b1beaee84ebba663fdeee1dc80b05eedc78e9a893cd77f89c3ed98ff60d32d746069e8caeac015a391781d85a57003ba70cdb541f95a9d185c3140bb1b
-
\ProgramData\1A25.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/1612-282-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/1612-285-0x00000000003C0000-0x0000000000400000-memory.dmpFilesize
256KB
-
memory/1612-293-0x000000007EF80000-0x000000007EF81000-memory.dmpFilesize
4KB
-
memory/1612-294-0x000000007EF20000-0x000000007EF21000-memory.dmpFilesize
4KB
-
memory/1612-317-0x000000007EF60000-0x000000007EF61000-memory.dmpFilesize
4KB
-
memory/1612-316-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/2412-0-0x0000000000810000-0x0000000000850000-memory.dmpFilesize
256KB