Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-07-28...de.exe

windows7-x64

10

2024-07-28...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-28_126ea509b8e7a017d2a77ae7217b53d3_darkside.exe

  • Size

    153KB

  • MD5

    126ea509b8e7a017d2a77ae7217b53d3

  • SHA1

    538527ef7632ac308a3be136f289157e0f82cbf9

  • SHA256

    d20fd836d601122256cdde5648475fafa5b0a102980898ce5e73566325298a27

  • SHA512

    2a63b767e094bf349baef09d1cc7940bf96abbc0ecf3db07f2d1158a761ac7854efe44208380e653fd1ee1f5aa4cf9163fad170d700794986524f3fe3f91abe5

  • SSDEEP

    3072:16glyuxE4GsUPnliByocWeprU6BNXfEIVY9/6:16gDBGpvEByocWe9U6BNXcasS

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\e3uJpiiGh.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: C50A24D28C8BD8BB64C6402A54265D1D >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Renames multiple (635) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-28_126ea509b8e7a017d2a77ae7217b53d3_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-28_126ea509b8e7a017d2a77ae7217b53d3_darkside.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1572
    • C:\ProgramData\12C9.tmp
      "C:\ProgramData\12C9.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\12C9.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:432
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1296
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{48CD951F-AA63-4CA9-A13B-0F380B2D43FA}.xps" 133667600811890000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\JJJJJJJJJJJ
      Filesize

      129B

      MD5

      b4a9e717e6d7e441b126e1d053b1d487

      SHA1

      78ed0009b7debca249149806dc1fb6fec9dc65d0

      SHA256

      c63e63f7b7961a8c52ab1e64b55e9d04295f349e7c962812409fd37a6ed2c9b7

      SHA512

      3b4daff3133e116d6ed5ae12ea0ecf546d2e2cb1a1c563b9aadf22f1bfd5cb6f66f73a385e317247b6934fdfdda4cfecac20f391230d6599623c192a0dd31622

      Download Submit

    • C:\ProgramData\12C9.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      153KB

      MD5

      84c278de12ba7b557382ea12e92b2378

      SHA1

      6f50ec56ebb5173ae703bb7cd1e45df50b614825

      SHA256

      d1de7ecdd0e4477dab6feb70e60387f30f8ed73ccccc523d4d356ee771cb9577

      SHA512

      5d90c2cb17319766e7d8a74236bfec1895397b1e9011fe26692c70c41b0e94da7daff2b6d0fa4705a0b8cd1fbf2bc7ed49e3443a733b9afb6bb7fe84884b0c88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{1A60CEE3-A048-40AF-BBB6-285736820650}
      Filesize

      4KB

      MD5

      f9c7093325b1fad6eb698164f57b3cc5

      SHA1

      bbcd59ac8f05c8f1d45f1a615d30096c389b76eb

      SHA256

      7f11380420e742686f404821ae8a9db0c5fb57621b2df737dd684371675ea1c2

      SHA512

      fc96446791872010bee3d006bf22816323fd125b9e4ff06983c6ad51f7a7beabd7f91a092e2cc0aaac056549c59affcf6bff0a4b8d66be5395716cab58198ad6

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      fc67c99aa35fd5c15be46f97932b3182

      SHA1

      f27c7afae8bd8c788f38b05af8249b33d5e45196

      SHA256

      75bc114fbaf90a8da8e30a9a0b8f193cf605233f6ab4ffe8822034dd2855af7c

      SHA512

      aa117e3b05ff36bb6878aef25a0726f74b212cc74348931a33ca584a7715ba4f54144fb1402c39af7e002de633298668eb5b4c2a5a7fc1545fd32417b9e36e97

      Download Submit

    • C:\e3uJpiiGh.README.txt
      Filesize

      6KB

      MD5

      913ba4ad0dcf541e37a167fe826ea25f

      SHA1

      6ad246d24440360bfa6ac54076e1a7772458fb43

      SHA256

      909239bd68e48749e30e80dc73252cf0db5780402088bf33da7300229085a6c5

      SHA512

      a828eba551e0b8dcb8e681318dbe860618a009826f725fcf478cda8713e8cd05b15c8ee0b2377998e6ba8840dd3cda3f871ffb691ddd504b57bba36fb157389e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      c95db154522b0cb4703d9dc2badbf322

      SHA1

      b71752e6bc21473de183687a9c07286da8a99945

      SHA256

      86fe6136d13fa3a49350e930492fac6bee67b846d85d647c6dbd2690b6af56ab

      SHA512

      622f0af48bb1db10c55f59288bf866ddc0a4736472d6c7602eeb6c41f79d33ac68c60bf4e5780784f5a3535f16e2eddfd8a8e82c3831d43c4ea6e2fcbd664a91

      Download Submit

    • memory/2272-2-0x00000000033B0000-0x00000000033C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2272-1-0x00000000033B0000-0x00000000033C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2272-0-0x00000000033B0000-0x00000000033C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3018-0x00007FFACAF70000-0x00007FFACAF80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3019-0x00007FFACAF70000-0x00007FFACAF80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3022-0x00007FFACAF70000-0x00007FFACAF80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3023-0x00007FFAC8EB0000-0x00007FFAC8EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3024-0x00007FFAC8EB0000-0x00007FFAC8EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3021-0x00007FFACAF70000-0x00007FFACAF80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2532-3020-0x00007FFACAF70000-0x00007FFACAF80000-memory.dmp

      Filesize

      64KB

      Download