Resubmissions
07-11-2024 02:22
241107-ctx7kateln 1007-11-2024 02:04
241107-cg9d3ashpa 1007-11-2024 01:55
241107-ccbbga1qhs 10Analysis
-
max time kernel
75s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 02:22
Behavioral task
behavioral1
Sample
2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
-
Size
153KB
-
MD5
768c44a8ca7375f504ef546e50218314
-
SHA1
605726530534b476abf0a940c118a74e1f0b7a19
-
SHA256
a8db150f736de8b8654c7390cee378aebb1a8f11c13869fe9e63c223e4376766
-
SHA512
167adaa6e9c3f3d73320388e10791e0e2ac1be9ccbdd9805a95b754699285f67682e0b6e218a0e1eedc962947feefa58582c1c5ed2387e1218faccab696f1249
-
SSDEEP
3072:FqJogYkcSNm9V7D3IzFIROodFQYNJIXoT:Fq2kc4m9tD3IzFloTzJa
Malware Config
Extracted
C:\pKSLKLNeI.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1356 D28B.tmp -
Executes dropped EXE 1 IoCs
pid Process 1356 D28B.tmp -
Loads dropped DLL 1 IoCs
pid Process 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\pKSLKLNeI.bmp" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pKSLKLNeI.bmp" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1356 D28B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D28B.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pKSLKLNeI 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pKSLKLNeI\ = "pKSLKLNeI" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI\DefaultIcon 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI\DefaultIcon\ = "C:\\ProgramData\\pKSLKLNeI.ico" 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 856 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp 1356 D28B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeDebugPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: 36 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeImpersonatePrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeIncBasePriorityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeIncreaseQuotaPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: 33 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeManageVolumePrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeProfSingleProcessPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeRestorePrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSystemProfilePrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeTakeOwnershipPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeShutdownPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeDebugPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeBackupPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe Token: SeSecurityPrivilege 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 856 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2116 wrote to memory of 1356 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 33 PID 2116 wrote to memory of 1356 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 33 PID 2116 wrote to memory of 1356 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 33 PID 2116 wrote to memory of 1356 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 33 PID 2116 wrote to memory of 1356 2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe 33 PID 1356 wrote to memory of 2780 1356 D28B.tmp 34 PID 1356 wrote to memory of 2780 1356 D28B.tmp 34 PID 1356 wrote to memory of 2780 1356 D28B.tmp 34 PID 1356 wrote to memory of 2780 1356 D28B.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\ProgramData\D28B.tmp"C:\ProgramData\D28B.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D28B.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pKSLKLNeI.README.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:856
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1501⤵PID:2104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52fbbe8389be09b4f832a1434af8ff910
SHA11c642122c192514673815a1e74ac218cdcc6cb7d
SHA256736dd236573607492082dc74136e93f3bb6035f719f0d6e850c268835bd76009
SHA5123bf64fc3f1c79097630c9e7c99044286c26fc3d7838d1ca87145918c5a5ec0a51dc0ce99dd26e6e5324d05f1217b3cd1eb5d9ec450e6b8ddcc7f243b4364788c
-
Filesize
153KB
MD50c897279c61f0288c67ed04e27ce79e9
SHA1e3303fbeb2f1b20173e5858b990c85b870f873c9
SHA25606424c5cbae19fef4d783f7438d68354a2e558b3a9caad86b0ccdf3b1781c811
SHA51283a6acc0e2ad0ea4fa61666c4c201dbb7f95194f5496618d45f3501ce559214e86b0c8f381e9fab3331e6633f654446cc3b0ee0aa89cceca17072abd888bb16a
-
Filesize
6KB
MD5dd746ace17e44ace00885b91400f11d5
SHA14a0302d2dca400598f396e4230fdae71779cbeaa
SHA256b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA5128ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1
-
Filesize
129B
MD53d5749c3abb2bddc12a70f1ce8a41dd4
SHA1cebe30c49375342c6716a7ae89a1639c8c628964
SHA256d08ac8b671fb03fed465b47ac6d4ed35ce7b7dbc9a78a698e5c72caaaae277da
SHA512b36c864d0d7e15e34cbf14a2ac7c4925e70f1f3232886c3d154eb342784969514203e30de7818ac60f1c545b70fa733af20502d65f8cba25de1ded8a7b552322
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf