Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 17:49
Behavioral task
behavioral1
Sample
20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
20240901713c0b2580a14c603a3e8304a0ace305darkside.exe
-
Size
153KB
-
MD5
713c0b2580a14c603a3e8304a0ace305
-
SHA1
9485e1ba5f152838c0b0625f8cfebad17a6aa48b
-
SHA256
55b2351ca0356b5071b67ad88becdf41f35b6f0624142db61ad6bc5ae71f9c27
-
SHA512
3916fa104ac27294c4070cb032014e8b94b887255267a3930020eb6cc6470e32cf82ef8b333798955c93adf605708aa7e729d6f9697acbe727a6437c355d6b3d
-
SSDEEP
3072:8qJogYkcSNm9V7DXCMTANJR3I6yD7T/bmvWnT:8q2kc4m9tDScg34p6
Malware Config
Extracted
C:\ZkY0iHrYy.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Deletes itself 1 IoCs
pid Process 2456 EB58.tmp -
Executes dropped EXE 1 IoCs
pid Process 2456 EB58.tmp -
Loads dropped DLL 1 IoCs
pid Process 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZkY0iHrYy.bmp" 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZkY0iHrYy.bmp" 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2456 EB58.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EB58.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallpaperStyle = "10" 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZkY0iHrYy 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZkY0iHrYy\DefaultIcon\ = "C:\\ProgramData\\ZkY0iHrYy.ico" 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZkY0iHrYy 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZkY0iHrYy\ = "ZkY0iHrYy" 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZkY0iHrYy\DefaultIcon 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp 2456 EB58.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeDebugPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: 36 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeImpersonatePrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeIncBasePriorityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeIncreaseQuotaPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: 33 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeManageVolumePrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeProfSingleProcessPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeRestorePrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSystemProfilePrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeTakeOwnershipPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeShutdownPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeDebugPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeBackupPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe Token: SeSecurityPrivilege 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2456 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 34 PID 2420 wrote to memory of 2456 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 34 PID 2420 wrote to memory of 2456 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 34 PID 2420 wrote to memory of 2456 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 34 PID 2420 wrote to memory of 2456 2420 20240901713c0b2580a14c603a3e8304a0ace305darkside.exe 34 PID 2456 wrote to memory of 2560 2456 EB58.tmp 35 PID 2456 wrote to memory of 2560 2456 EB58.tmp 35 PID 2456 wrote to memory of 2560 2456 EB58.tmp 35 PID 2456 wrote to memory of 2560 2456 EB58.tmp 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240901713c0b2580a14c603a3e8304a0ace305darkside.exe"C:\Users\Admin\AppData\Local\Temp\20240901713c0b2580a14c603a3e8304a0ace305darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\ProgramData\EB58.tmp"C:\ProgramData\EB58.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EB58.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f7bcc5ee3269604a396c3f61da495933
SHA1b054e1ebe15bc5e60c2ece747cca51c89c9e3fb3
SHA256fa156fb7ee91b520a165519bed180e73389827e220a156c363fcb6df1bbe5c83
SHA512d1fc92946e8cf011218b593f4a44a8dca4fa1e0cf625abc034cca31521e614903129972543191fbfbf8129e07e974bdda424375a9c5fca6f254b210212404b73
-
Filesize
153KB
MD57470283ed1eec720c6236a138bd7d9ca
SHA18b1bebb7ffcf4b42104eba914db7e98c8aa67858
SHA25670dd289cc0a4adfd2bb9b9bf07299ab2f73e393094f4d67bed5e078610fb6877
SHA512676d1771e5e52111287108c4d2429764ee5e1b3c7db1b4384f4c72b58b995e6e6af2e1e56771bd4ac0d02e5d88127e9090eaab3cc6c9841b547fe40b40ce0698
-
Filesize
6KB
MD5f9366230690f4341bc9c9d958d042cc0
SHA19ae05629d0cee0b7e0d1a87e0ec812575c7cfe68
SHA25653e1aff3d9bdee7c6c0068f5553d88fca8f1399007fb47372717397d06d8f433
SHA51242af70bc2e1109633e259fc8a65650b1d8ff4d41456abcb39b4aba80c68d711192f2a21da3c9889fc71e7624692f0ddd3216c570ad8b67c48f09f180f11f8931
-
Filesize
129B
MD5e3e182c47fbb40ead8af9a449acfc513
SHA13e3409068672f6e461f8594838f6ca321526f371
SHA256d104a672d322f06e970ab06eecb409bb6cc77b74f76326ec5cab6253f7b0934b
SHA512341157f4e9d8dd719108697af976ad4468ad8004d18e619b21132cb759943256ca494dd775b3bcec94d88d6bdbfcdc63f464b6ab57429980f1192f2a34abdc8b
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf