Overview

overview

10

Static

static

10

2024-09-26...de.exe

windows7-x64

10

2024-09-26...de.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside

  • Size

    147KB

  • Sample

    240926-beq92axgnn

  • MD5

    0ebb815bbd3f1b249d4a86d18e5f064b

  • SHA1

    474fea9f172a6d6857a133755953330ae802409b

  • SHA256

    6fa257b42aa0e3323fbf6ca0026f331fe58447e22224d2f0ea8e533bd9eed096

  • SHA512

    a427c4d7ed3d9565c9051801ea6d38ffbd293b2dee0ad54e71b573bfee5030de4c9ca7132373ce90a051201d1c01e07990a877c07e5ab6c73017140e580a24ba

  • SSDEEP

    1536:8zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD4056A76O4xEwyamTS8GHViXqWB:zqJogYkcSNm9V7Drl7Z4q3S4XqWbJT

Score
10/10
lockbitdefense_evasiondiscoveryransomware

Malware Config

Extracted

Path

C:\dZGlueXae.README.txt

Ransom Note
######################################################################################## YOUR COMPANY NETWORK HAS BEEN PENETRATED All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. YOUR PERSONAL ID: iwy8hbK5HseAftoI3culO2J96rYqV1LNandZ4zQU0GmXPxkSDWM7EFgp Contact us, use the email: [email protected] [email protected] IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Targets

    • Target

      2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside

    • Size

      147KB

    • MD5

      0ebb815bbd3f1b249d4a86d18e5f064b

    • SHA1

      474fea9f172a6d6857a133755953330ae802409b

    • SHA256

      6fa257b42aa0e3323fbf6ca0026f331fe58447e22224d2f0ea8e533bd9eed096

    • SHA512

      a427c4d7ed3d9565c9051801ea6d38ffbd293b2dee0ad54e71b573bfee5030de4c9ca7132373ce90a051201d1c01e07990a877c07e5ab6c73017140e580a24ba

    • SSDEEP

      1536:8zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD4056A76O4xEwyamTS8GHViXqWB:zqJogYkcSNm9V7Drl7Z4q3S4XqWbJT

    Score
    10/10
    defense_evasiondiscoveryransomware

    • Renames multiple (160) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks