lockbit | a8bd5d36c5653a89f5643dd7d7ff27146dcc95f0ef7c3a507f8c42af1ee6b367 | Triage

Submit
Reports

Overview

overview

Static

static

2024-09-17...de.exe

windows7-x64

9

2024-09-17...de.exe

windows10-2004-x64

9

Sharing

General

Target

2024-09-17_13d1cd6bc101aaeabbb33fe9af40be3f_darkside
Size

146KB
Sample

240917-vxv6gsvekn
MD5

13d1cd6bc101aaeabbb33fe9af40be3f
SHA1

fdf8e840d9b5241bcf3b458cac72c2fb4d4cec00
SHA256

a8bd5d36c5653a89f5643dd7d7ff27146dcc95f0ef7c3a507f8c42af1ee6b367
SHA512

80c10fc4b173ff9ba30d0a3944645402995c66b356e079e52e343f7fa8c493ccc2ce4f864f0ab26ebd2eda59108167fc710d7fcab95038bdb3e6c187074d7f89
SSDEEP

3072:76glyuxE4GsUPnliByocWepRs7lD9DVGUI:76gDBGpvEByocWeHkg

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2024-09-17_13d1cd6bc101aaeabbb33fe9af40be3f_darkside.exe

Resource

win7-20240903-en

defense_evasion discovery ransomware spyware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-09-17_13d1cd6bc101aaeabbb33fe9af40be3f_darkside.exe

Resource

win10v2004-20240802-en

defense_evasion discovery ransomware spyware stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  2024-09-17_13d1cd6bc101aaeabbb33fe9af40be3f_darkside
- Size
  
  146KB
- MD5
  
  13d1cd6bc101aaeabbb33fe9af40be3f
- SHA1
  
  fdf8e840d9b5241bcf3b458cac72c2fb4d4cec00
- SHA256
  
  a8bd5d36c5653a89f5643dd7d7ff27146dcc95f0ef7c3a507f8c42af1ee6b367
- SHA512
  
  80c10fc4b173ff9ba30d0a3944645402995c66b356e079e52e343f7fa8c493ccc2ce4f864f0ab26ebd2eda59108167fc710d7fcab95038bdb3e6c187074d7f89
- SSDEEP
  
  3072:76glyuxE4GsUPnliByocWepRs7lD9DVGUI:76gDBGpvEByocWeHkg
Score

9^/10

defense_evasion discovery ransomware spyware stealer
- Renames multiple (374) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

defense_evasiondiscoveryransomwarespywarestealer

behavioral2

defense_evasiondiscoveryransomwarespywarestealer

© 2018-2024

Terms | Privacy