Overview

overview

10

Static

static

10

2024-06-29...de.exe

windows7-x64

10

2024-06-29...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-29_917c73751f310ac3a09dd56b88baef90_darkside.exe

  • Size

    153KB

  • MD5

    917c73751f310ac3a09dd56b88baef90

  • SHA1

    23a42392a2857b3fe74573197c4d1d819116d19f

  • SHA256

    5e1d3c89c3992c19b03d6f0f553073a46b337d27cadcddfc63abfe06118fa8d5

  • SHA512

    15b472715621158ad150aed6a6cce75dd8a4a1eee2f1b62f8d67596a336aac5d663198250e4439031fd1e56b6601618eac806da4d0bb062f454ef6d5be8dcac2

  • SSDEEP

    3072:66glyuxE4GsUPnliByocWepEXGg7g+fACCmUSt:66gDBGpvEByocWexIgQ1lUSt

Score
10/10
lockbitransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\q4ZbIx1qb.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 7D5E9DCC6033969962A5712A62EA2274 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Renames multiple (714) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-29_917c73751f310ac3a09dd56b88baef90_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-29_917c73751f310ac3a09dd56b88baef90_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1708
    • C:\ProgramData\149D.tmp
      "C:\ProgramData\149D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\149D.tmp >> NUL
        3⤵
          PID:4040
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,18320353784098040629,17273168055569331828,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8
      1⤵
        PID:5880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
        1⤵
          PID:1984
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
          1⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:560
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{271F6FA1-3015-4769-958F-45BACCCC60DA}.xps" 133641236285470000
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of SetWindowsHookEx
            PID:3080

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\YYYYYYYYYYY
          Filesize

          129B

          MD5

          2ff613863456000f5d3bf53ae16c59da

          SHA1

          bc4a9618c7176d01ee96ff3e5a2a255f01ec0206

          SHA256

          e151eda21759175aa6a1c7176a0df23e261b9453fcf10b02d03f13f480dbcdf9

          SHA512

          4b2ffad6813aab7ca0eec42edf81c1bedf648b05edc6d508d7ccb40c18e94857e332781d21a7c6fe1cb44eac000636203aaac120e7f1808913688677561990b0

          Download Submit

        • C:\ProgramData\149D.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
          Filesize

          153KB

          MD5

          a373895a9478781c23d0cda0220f7611

          SHA1

          9b087c35d200413d1ceefd2e43c9775e43bd0819

          SHA256

          409466b4f737af9e54ff5c8decfb06fe6de052a876a111f9e1a8018803dd3705

          SHA512

          3a1ea9eaabcd303dbe7c80850fadcac768a48c55dec3c4cc7387c18b6d18fdb1665a65eec56c0fe8f13bf084416d72ae81abd97e76ed87a99ae9ab901d13553c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{3D4B340F-B363-4C39-A414-8BFF44FF9CB2}
          Filesize

          4KB

          MD5

          fbb959765f44696b8d8c2c78bad0315b

          SHA1

          78920488f00954d9571d50c4ee417508de85bcb8

          SHA256

          1ea10abbbaa014f89b20c91c4a8f17b023ea2c7d963c4820d03b769ee76be2d9

          SHA512

          bef89ee1b464b8483c6adfff221078a1be2bb251fac221a6d5852c2aa66c410a5eb08277d03115cde1c836990da395da00d89d0cc3ded33724a86438c4b46b2a

          Download Submit

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
          Filesize

          4KB

          MD5

          eeec523b2918f59ffd8f6ab9e933d470

          SHA1

          c01d5a997f43cdf317612b435019d641c84f900b

          SHA256

          d8a7fbc8db1fa1cb6304916ef0e78178669a895c25236e8166ef7a31fccbba59

          SHA512

          3330df8f7f1a629ea54e0bffc04999d2ac97ede1fd31dd2e19185732441121e5aa0eaba69efaf17ed3cbb17d5482cf42a6153fc5095c6a5c02d116955b18f679

          Download Submit

        • C:\Users\Admin\q4ZbIx1qb.README.txt
          Filesize

          6KB

          MD5

          02ab2840c9c97606890739a1e2f31349

          SHA1

          9b466a5578fe7d50ff92a003deda7e5452e5fcea

          SHA256

          54f487117c49355be7791f0b2c1bc320a041a299a6422ce14d026c9c44e7aeac

          SHA512

          5fa48d310789c019661f677bbfac6180e85bdcd3475a565f2cb142a9bc00fecadae45cb529e1924b9f3408b44863d8b4cf2ed58e63f7a11aff716557216c9727

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3665033694-1447845302-680750983-1000\DDDDDDDDDDD
          Filesize

          129B

          MD5

          8d174e7b49d291710cb3b5485c22b165

          SHA1

          e0987d3e05aa4e5d25bc81ca682b3b301951eff3

          SHA256

          0f4f291c06a0506baad1db2db1c7bf12d1904d8ece59e913117a101187fc0b20

          SHA512

          aa6bc292f216946772f999906d27c54b4f9f59b6737616e0c1ffb591da9118126fdd440fd630bd97d4310bc46e5dff6096cb16a393be3bd86a13360cc19bed6f

          Download Submit

        • memory/2036-0-0x0000000002F50000-0x0000000002F60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2036-1-0x0000000002F50000-0x0000000002F60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2036-2-0x0000000002F50000-0x0000000002F60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3134-0x00007FF88DE10000-0x00007FF88DE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3127-0x00007FF88DE10000-0x00007FF88DE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3129-0x00007FF88DE10000-0x00007FF88DE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3164-0x00007FF88B4B0000-0x00007FF88B4C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3165-0x00007FF88B4B0000-0x00007FF88B4C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3130-0x00007FF88DE10000-0x00007FF88DE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3080-3132-0x00007FF88DE10000-0x00007FF88DE20000-memory.dmp

          Filesize

          64KB

          Download