Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-09-2024 09:56
General
-
Target
20240921996e351688f092ffa057d29fa578cd7adarkside.exe
-
Size
156KB
-
MD5
996e351688f092ffa057d29fa578cd7a
-
SHA1
d9eb149d2cdd04fa9602a8b54cad71ddd2a23254
-
SHA256
ee75989cec445a27d489e670208dc8d7f6058ee90a21998910b14eb46a7dabcd
-
SHA512
5a1083ecdc4cf155b130956d18cc7cef0aeef74a198858e414fe2d213063d73ebd8db0e4d86efdf871eeb2cfe3cccf35cc0df87ecb604d6532473dc5bd02b4c1
-
SSDEEP
3072:fDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368Mgw9QHyISWjDb4SjvW:B5d/zugZqll3BmWD
Malware Config
Extracted
C:\Users\HWOyxb8t7.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
Signatures
-
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240921996e351688f092ffa057d29fa578cd7adarkside.exe"C:\Users\Admin\AppData\Local\Temp\20240921996e351688f092ffa057d29fa578cd7adarkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\9664.tmp"C:\ProgramData\9664.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9664.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5d66b81560dc83292ef638d235a31036c
SHA10a0c88d9a21daa4b4b4543c66a8b3164d233c1e2
SHA2563d4a269a603e6ba2ec29688e291770f747ed1121e478dfafc82f4f16da28a346
SHA5124320fb2d7597f145a1f8d4a3e8f104c5dd11a89f8f6af4775d4879fedffcf0a83b46bf5909b19f7fd18433126645d1431e0fd8bd2f8ff78ebdeb5f5f918d12ca
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
3KB
MD5a247343d7ffb1ba5a507961ccfec0c2e
SHA12ced3c4ceac45e2eb8776339eb329fbca028042b
SHA256487f76d4c993942b4016a578d827fe581c57327e277e0d3371940100a74ad700
SHA51256d895e62207410e848dc78dbfae46346d7030037932e64e1867f51c0709177d9bd079fa1d0de286c6a11c91578e20e6512b537d9ed37527d918d2db44d88860
-
Filesize
129B
MD5cb86a1a383a0ac4f2f7d674214b5726c
SHA1cd71df7bf4df7feb743dc52fbac66176dd9a14a6
SHA256b0ca8106dabfe0edca0c63bea24c999bacacb2ca61a01f2b6b05b91d5fb7f73e
SHA51284e9d4911c32ff84beb32efc7a304f2fe27aa1428def1d96bd71d33cbcc169abb6deb338c3c1cd96f51c24afd3c14a98f61bf4721512fff31f808c0fa00d0044
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB