Overview

overview

10

Static

static

10

2024-05-25...de.exe

windows7-x64

10

2024-05-25...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe

  • Size

    160KB

  • MD5

    9251dd806a703d4a6b388e504e5020f3

  • SHA1

    a9c78679a7effe14bac6b0fe440af504c50d7d1f

  • SHA256

    83600bb9bb3eba4ca5d64a300bcdb8bc9c988570f5acdb6aecae77f4f75d2e68

  • SHA512

    f67f5f44ef17128b575608c4a8eddd76af172ebee276c752cb7a6e149cc244e0df81166bab52435f3a1db26b42f2d141e1aa338366a81a616792a0a07b110862

  • SSDEEP

    3072:kDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP33682wa9h+f2s9L6AsW:m5d/zugZqll3a5OB9L6

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\NOokKHoMb.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: F7EA81C1375FE4076B172D7DCFB7D322 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

Signatures

  • Renames multiple (153) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_9251dd806a703d4a6b388e504e5020f3_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\ProgramData\230B.tmp
      "C:\ProgramData\230B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\230B.tmp >> NUL
        3⤵
          PID:1548
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:1560

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\AAAAAAAAAAA
        Filesize

        129B

        MD5

        dd600ebcf0d273d9a155d053ff3d3cd6

        SHA1

        b4c622f34519e6bb53c31e83b74f9ffaf4a477b2

        SHA256

        aa91f8eef225a8914f4348f6cdfdb849c374ce8b38f55d87b19925199982299d

        SHA512

        1a28a51eef75b7f46fe3e96eab7c892762d977de2c68cbbf459691c1cac806fac6b32db8afdcafaaacb5a6731633777276b5a4795fa8f50a9c1ead4b22e1a9fe

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        160KB

        MD5

        dffea7a74eac653e7e99425cd4d35b79

        SHA1

        b9c8baad7fec2490095e4cebd6735dbb5c709fa5

        SHA256

        ad8f7a37233df587c258470708c449a945b677c1ec16ead86027ab0ad2394faf

        SHA512

        71495ab2dbfcdd15be35edacb9c92169977ba9257756c4a8a398811b4530419046ba7c23cd30b0aa30315ae25127c40b0f1b28afd3d4567b8dc208fefb34aacb

        Download Submit
      • C:\Users\NOokKHoMb.README.txt
        Filesize

        3KB

        MD5

        04d41db91964d072a383195a3fe75f4d

        SHA1

        2b2badba83389e245e24c17008fe8b0ef1f9c1b6

        SHA256

        b28a387bb8f1c5d44d744ef6b929a2261af5475cd3876c71549443d8817062a5

        SHA512

        9ab7877b28d86f1a6973b7808c0e38e5fb5d1ed977d5d648cb0874f7be08d36b447efc18e36c10766b49d3c5233b1930ba53a6ba0d3d7fe91ebcb3680fed5334

        Download Submit
      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        7de5ed824befe6f062f4e22b111cc61f

        SHA1

        d4764b79bdcfc26b206ec6f725b00b0a6f28c324

        SHA256

        65b278354cfd2ddc424d13a01ff0b45889c370525c6563e792cff6e8a26ee099

        SHA512

        d7a75b4c01ff6dadee5a02fc52a950f549436def90066a130f006e127b3c0df735ffdedbf99f428982f11e80884f4e2c0ebb236dbdd94af0f59e880eb839d748

        Download Submit
      • \ProgramData\230B.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit
      • memory/2164-285-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/2164-284-0x0000000000401000-0x0000000000404000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2164-314-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/2164-317-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/2364-0-0x0000000002160000-0x00000000021A0000-memory.dmp
        Filesize

        256KB

        Download