Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 09:55
Behavioral task
behavioral1
Sample
2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe
-
Size
153KB
-
MD5
a366442a9d5553ce1143c7b4fd6454d6
-
SHA1
d33b8d01b0869bad80a15d534bdb89e3c5b71520
-
SHA256
497879e5d98ffd4abc0408a997f754f30cc21043d9aa794b0da2878d22653904
-
SHA512
a5db076cb3e37209a4d7443d5f90582753ccfa3b4380efa552a99a40dea4c6e0ffb3fef7795da5f0f50c55731cef296607bdbbafae8ac9bb45fed9a1091f6598
-
SSDEEP
3072:G6glyuxE4GsUPnliByocWepMrGhNpf6+erXFzNHG3g:G6gDBGpvEByocWe7hNpo5
Malware Config
Extracted
C:\xX6BQRYHV.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Renames multiple (362) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2360 CE85.tmp -
Executes dropped EXE 1 IoCs
pid Process 2360 CE85.tmp -
Loads dropped DLL 1 IoCs
pid Process 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xX6BQRYHV.bmp" 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xX6BQRYHV.bmp" 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 2360 CE85.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CE85.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xX6BQRYHV\DefaultIcon\ = "C:\\ProgramData\\xX6BQRYHV.ico" 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xX6BQRYHV 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xX6BQRYHV\ = "xX6BQRYHV" 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xX6BQRYHV\DefaultIcon 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xX6BQRYHV 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp 2360 CE85.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeDebugPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: 36 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeImpersonatePrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeIncBasePriorityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeIncreaseQuotaPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: 33 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeManageVolumePrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeProfSingleProcessPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeRestorePrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSystemProfilePrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeTakeOwnershipPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeShutdownPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeDebugPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeBackupPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe Token: SeSecurityPrivilege 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2360 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 33 PID 3060 wrote to memory of 2360 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 33 PID 3060 wrote to memory of 2360 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 33 PID 3060 wrote to memory of 2360 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 33 PID 3060 wrote to memory of 2360 3060 2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe 33 PID 2360 wrote to memory of 2288 2360 CE85.tmp 34 PID 2360 wrote to memory of 2288 2360 CE85.tmp 34 PID 2360 wrote to memory of 2288 2360 CE85.tmp 34 PID 2360 wrote to memory of 2288 2360 CE85.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_a366442a9d5553ce1143c7b4fd6454d6_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\ProgramData\CE85.tmp"C:\ProgramData\CE85.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CE85.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2288
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a77d48ed73fd237b681c0846f8b03878
SHA1af55f6881bf6f5f73b07ab9d37be7d6530026b2b
SHA256096897af412c9bc76ad5495673c2be9a468345160a3d57582c1afabfebea8f9e
SHA51293ea794766212d1394f7f4dad5a06bb1e96f43a91d18947eea760d7da977a1fe823213670c7673a3a16ced18cec2fd76e051716866c5ee097c4ce1e4741dffe0
-
Filesize
153KB
MD5b4e3e3b97e4c916d46e7f2121762547e
SHA1bb91420c03bcca33e3c2bddd75343dcf47d0b23f
SHA2564d12ec48a333bf724e39689d0e3502ef8060eccb38037ec89dca2d06ae87b2c8
SHA5127893cf27635773f34943549862466e91fe2526812955ffbbebe1591fa402d315935cf025cff14cff416b797d17d39d3167ea1194371fb053b86c196a7f7fa499
-
Filesize
6KB
MD586d2bc89ab0552d094ac42eb92d9bf10
SHA1f937e0878c884a057e40240410f40ab37056cf2e
SHA256b3f2bb8009529a706e139e7d8000470ce96b718308ad423fe8e25859997be6bd
SHA5123aec53b1d84e1ddf9f3078750d7fb454baaf22b2958aad243a2a797478ac7c39f3ef62e581ea75bdea399f492d5d24acec57ba7e7d64dea07ac33a334b6f9035
-
Filesize
129B
MD500df807217a597f911506154408d7303
SHA101d3327ee303dc2c3b1473c7b7c2b0b04ebeb96b
SHA2565dde4950e016bb9920bc946930183f4d00e1f47215c89eff88cf565f417ddd67
SHA512323defc61c17088d550bf4925f6ba164e694e67c774698383f2a92cfe05658a7f6cc36286e0b70aa05ca299935d8ef439dcb138dd0773f123aae5cb0609dbd3e
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf