Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 10:55
Behavioral task
behavioral1
Sample
2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe
-
Size
153KB
-
MD5
1c49ec489a2e338afce7cbca2161a035
-
SHA1
9495ec90275745b9f23bf1e3116d7a00c8a26412
-
SHA256
62bc717e6da4e21751362a7c3893fde74b0531bb37696aa9462c4067b5b95bbe
-
SHA512
fa2b443459626000291f39899e9cc435f4e5dbf7b089d26f4ded150587e9dca4c36170e83765af4aa58665b00257648f427bc94d4c5e4149d4660f99a6ba3974
-
SSDEEP
3072:m6glyuxE4GsUPnliByocWepmOiBs/9WpiFfLiU:m6gDBGpvEByocWeI9Bg9W
Malware Config
Extracted
C:\iTMxVCUhe.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (354) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 940 1B00.tmp -
Executes dropped EXE 1 IoCs
pid Process 940 1B00.tmp -
Loads dropped DLL 1 IoCs
pid Process 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\iTMxVCUhe.bmp" 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\iTMxVCUhe.bmp" 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 940 1B00.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1B00.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTMxVCUhe\DefaultIcon 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iTMxVCUhe 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iTMxVCUhe\DefaultIcon\ = "C:\\ProgramData\\iTMxVCUhe.ico" 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.iTMxVCUhe 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iTMxVCUhe\ = "iTMxVCUhe" 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp 940 1B00.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeDebugPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: 36 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeImpersonatePrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeIncBasePriorityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeIncreaseQuotaPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: 33 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeManageVolumePrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeProfSingleProcessPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeRestorePrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSystemProfilePrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeTakeOwnershipPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeShutdownPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeDebugPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeBackupPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe Token: SeSecurityPrivilege 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2388 wrote to memory of 940 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 32 PID 2388 wrote to memory of 940 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 32 PID 2388 wrote to memory of 940 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 32 PID 2388 wrote to memory of 940 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 32 PID 2388 wrote to memory of 940 2388 2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe 32 PID 940 wrote to memory of 2044 940 1B00.tmp 33 PID 940 wrote to memory of 2044 940 1B00.tmp 33 PID 940 wrote to memory of 2044 940 1B00.tmp 33 PID 940 wrote to memory of 2044 940 1B00.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-04_1c49ec489a2e338afce7cbca2161a035_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\ProgramData\1B00.tmp"C:\ProgramData\1B00.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1B00.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD59c53df432693356fbc5d453ce83d08f2
SHA17ec11ddaec637ebbda9a212d099428c5a56d59e6
SHA256ce5f3e6f03d548066036f412fffa27a7bce1620e516a1b87a2c43589950dfdb2
SHA5125bba611170e917a77a7744b83f6aa8eb71720b188d9b1a63564ff01c1ea327b0f813cb98f2beb76d50c6b42df1a386d0986aa860cd5dfae844f2afb059fe1aa8
-
Filesize
153KB
MD553452323281c564106d2c02eef9476dc
SHA1d4c6c1b660f8b7717d4ef44d028ebc549f0a7a55
SHA256799519e7c5513fc2cb37c9b6f6199cb935f97e412e53ed1364d9998805a832b3
SHA512f226c2938af741658e7ed7e4dce7c47e5081b267c127ea5c5a57a1b0a692cd663df3e84c1f87837d9e58f533567acc0b7a37a08ea94493fd08caf226ae6a3174
-
Filesize
6KB
MD5a31c8147d6704d5ff717ea21e6a79342
SHA1176f7034a550c2a26efa11311c1d6bfdfd54f6b2
SHA256fd486a34a5eed1216b75b9181c239c79f2c846e2dc5fb675f666fc5b06f430e1
SHA5125064ba4b976bf007482194ff9a052817e32fc0a32d2b13f7406534a8a8888676f140eca1ee939765619a6786faef87367004ef0a78c69b1de3de4b21307b669f
-
Filesize
129B
MD5cb4bbd6777190ca39f7b2e1ccd5d7fcf
SHA1a15a80396746f75394e75a2cf9a8c5662ff191dd
SHA2568fe84a16f9a7b082b9a8299e07045456aa13bf07e7e47a459d10400e94393492
SHA51224b2a62b744f97d632b13feb32115af86607946bdb5e00efa7decb6781a3b90e2ff78d0d5c0348c0cb9b78c1486cd4b00d8da78158e2b25e90bfb55d47e022fe
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf