Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 13:05
Behavioral task
behavioral1
Sample
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe
-
Size
160KB
-
MD5
9251dd806a703d4a6b388e504e5020f3
-
SHA1
a9c78679a7effe14bac6b0fe440af504c50d7d1f
-
SHA256
83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68
-
SHA512
f67f5f44ef17128b575608c4a8eddd76af172ebee276c752cb7a6e149cc244e0df81166bab52435f3a1db26b42f2d141e1aa338366a81a616792a0a07b110862
-
SSDEEP
3072:kDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33682wa9h+f2s9L6AsW:m5d/zugZqll3a5OB9L6
Malware Config
Extracted
C:\Users\NOokKHoMb.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
Signatures
-
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
230B.tmppid process 2164 230B.tmp -
Executes dropped EXE 1 IoCs
Processes:
230B.tmppid process 2164 230B.tmp -
Loads dropped DLL 1 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exepid process 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\NOokKHoMb.bmp" 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\NOokKHoMb.bmp" 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe230B.tmppid process 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Modifies registry class 5 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon\ = "C:\\ProgramData\\NOokKHoMb.ico" 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.NOokKHoMb\ = "NOokKHoMb" 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NOokKHoMb\DefaultIcon 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exepid process 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
230B.tmppid process 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp 2164 230B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeDebugPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: 36 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeImpersonatePrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeIncBasePriorityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeIncreaseQuotaPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: 33 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeManageVolumePrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeProfSingleProcessPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeRestorePrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSystemProfilePrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeTakeOwnershipPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeShutdownPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeDebugPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2920 vssvc.exe Token: SeRestorePrivilege 2920 vssvc.exe Token: SeAuditPrivilege 2920 vssvc.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeSecurityPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe Token: SeBackupPrivilege 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe230B.tmpdescription pid process target process PID 2364 wrote to memory of 2164 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 230B.tmp PID 2364 wrote to memory of 2164 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 230B.tmp PID 2364 wrote to memory of 2164 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 230B.tmp PID 2364 wrote to memory of 2164 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 230B.tmp PID 2364 wrote to memory of 2164 2364 2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe 230B.tmp PID 2164 wrote to memory of 1548 2164 230B.tmp cmd.exe PID 2164 wrote to memory of 1548 2164 230B.tmp cmd.exe PID 2164 wrote to memory of 1548 2164 230B.tmp cmd.exe PID 2164 wrote to memory of 1548 2164 230B.tmp cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\230B.tmp"C:\ProgramData\230B.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\230B.tmp >> NUL3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\AAAAAAAAAAAFilesize
129B
MD5dd600ebcf0d273d9a155d053ff3d3cd6
SHA1b4c622f34519e6bb53c31e83b74f9ffaf4a477b2
SHA256aa91f8eef225a8914f4348f6cdfdb849c374ce8b38f55d87b19925199982299d
SHA5121a28a51eef75b7f46fe3e96eab7c892762d977de2c68cbbf459691c1cac806fac6b32db8afdcafaaacb5a6731633777276b5a4795fa8f50a9c1ead4b22e1a9fe
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDFilesize
160KB
MD5dffea7a74eac653e7e99425cd4d35b79
SHA1b9c8baad7fec2490095e4cebd6735dbb5c709fa5
SHA256ad8f7a37233df587c258470708c449a945b677c1ec16ead86027ab0ad2394faf
SHA51271495ab2dbfcdd15be35edacb9c92169977ba9257756c4a8a398811b4530419046ba7c23cd30b0aa30315ae25127c40b0f1b28afd3d4567b8dc208fefb34aacb
-
C:\Users\NOokKHoMb.README.txtFilesize
3KB
MD504d41db91964d072a383195a3fe75f4d
SHA12b2badba83389e245e24c17008fe8b0ef1f9c1b6
SHA256b28a387bb8f1c5d44d744ef6b929a2261af5475cd3876c71549443d8817062a5
SHA5129ab7877b28d86f1a6973b7808c0e38e5fb5d1ed977d5d648cb0874f7be08d36b447efc18e36c10766b49d3c5233b1930ba53a6ba0d3d7fe91ebcb3680fed5334
-
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDDFilesize
129B
MD57de5ed824befe6f062f4e22b111cc61f
SHA1d4764b79bdcfc26b206ec6f725b00b0a6f28c324
SHA25665b278354cfd2ddc424d13a01ff0b45889c370525c6563e792cff6e8a26ee099
SHA512d7a75b4c01ff6dadee5a02fc52a950f549436def90066a130f006e127b3c0df735ffdedbf99f428982f11e80884f4e2c0ebb236dbdd94af0f59e880eb839d748
-
\ProgramData\230B.tmpFilesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
memory/2164-285-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2164-284-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/2164-314-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2164-317-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2364-0-0x0000000002160000-0x00000000021A0000-memory.dmpFilesize
256KB