lockbit | a8db150f736de8b8654c7390cee378aebb1a8f11c13869fe9e63c223e4376766

General

Target

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Size

153KB
MD5

768c44a8ca7375f504ef546e50218314
SHA1

605726530534b476abf0a940c118a74e1f0b7a19
SHA256

a8db150f736de8b8654c7390cee378aebb1a8f11c13869fe9e63c223e4376766
SHA512

167adaa6e9c3f3d73320388e10791e0e2ac1be9ccbdd9805a95b754699285f67682e0b6e218a0e1eedc962947feefa58582c1c5ed2387e1218faccab696f1249
SSDEEP

3072:FqJogYkcSNm9V7D3IzFIROodFQYNJIXoT:Fq2kc4m9tD3IzFloTzJa

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\pKSLKLNeI.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

D28B.tmp

pid process

1356 D28B.tmp
Executes dropped EXE 1 IoCs

Processes:

D28B.tmp

pid process

1356 D28B.tmp
Loads dropped DLL 1 IoCs

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

pid process

2116 2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\pKSLKLNeI.bmp"	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pKSLKLNeI.bmp"	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

D28B.tmp

pid process

1356 D28B.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exeD28B.tmpcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D28B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

Modifies registry class 5 IoCs

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pKSLKLNeI	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pKSLKLNeI\ = "pKSLKLNeI"	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI\DefaultIcon	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pKSLKLNeI\DefaultIcon\ = "C:\\ProgramData\\pKSLKLNeI.ico"	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

856 NOTEPAD.EXE

pid	process
856	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

pid	process
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

D28B.tmp

pid	process
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp
1356	D28B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeDebugPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: 36	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeImpersonatePrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeIncBasePriorityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeIncreaseQuotaPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: 33	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeManageVolumePrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeProfSingleProcessPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeRestorePrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSystemProfilePrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeTakeOwnershipPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeShutdownPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeDebugPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeBackupPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
Token: SeSecurityPrivilege	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

856 NOTEPAD.EXE

pid	process
856	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exeD28B.tmp

description	pid	process	target process
PID 2116 wrote to memory of 1356	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe	D28B.tmp
PID 2116 wrote to memory of 1356	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe	D28B.tmp
PID 2116 wrote to memory of 1356	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe	D28B.tmp
PID 2116 wrote to memory of 1356	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe	D28B.tmp
PID 2116 wrote to memory of 1356	2116	2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe	D28B.tmp
PID 1356 wrote to memory of 2780	1356	D28B.tmp	cmd.exe
PID 1356 wrote to memory of 2780	1356	D28B.tmp	cmd.exe
PID 1356 wrote to memory of 2780	1356	D28B.tmp	cmd.exe
PID 1356 wrote to memory of 2780	1356	D28B.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-07_768c44a8ca7375f504ef546e50218314_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\ProgramData\D28B.tmp
  "C:\ProgramData\D28B.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D28B.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\pKSLKLNeI.README.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\IIIIIIIIIII

Filesize
129B

MD5
2fbbe8389be09b4f832a1434af8ff910

SHA1
1c642122c192514673815a1e74ac218cdcc6cb7d

SHA256
736dd236573607492082dc74136e93f3bb6035f719f0d6e850c268835bd76009

SHA512
3bf64fc3f1c79097630c9e7c99044286c26fc3d7838d1ca87145918c5a5ec0a51dc0ce99dd26e6e5324d05f1217b3cd1eb5d9ec450e6b8ddcc7f243b4364788c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
153KB

MD5
0c897279c61f0288c67ed04e27ce79e9

SHA1
e3303fbeb2f1b20173e5858b990c85b870f873c9

SHA256
06424c5cbae19fef4d783f7438d68354a2e558b3a9caad86b0ccdf3b1781c811

SHA512
83a6acc0e2ad0ea4fa61666c4c201dbb7f95194f5496618d45f3501ce559214e86b0c8f381e9fab3331e6633f654446cc3b0ee0aa89cceca17072abd888bb16a

Download Submit
C:\pKSLKLNeI.README.txt

Filesize
6KB

MD5
dd746ace17e44ace00885b91400f11d5

SHA1
4a0302d2dca400598f396e4230fdae71779cbeaa

SHA256
b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272

SHA512
8ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\DDDDDDDDDDD

Filesize
129B

MD5
3d5749c3abb2bddc12a70f1ce8a41dd4

SHA1
cebe30c49375342c6716a7ae89a1639c8c628964

SHA256
d08ac8b671fb03fed465b47ac6d4ed35ce7b7dbc9a78a698e5c72caaaae277da

SHA512
b36c864d0d7e15e34cbf14a2ac7c4925e70f1f3232886c3d154eb342784969514203e30de7818ac60f1c545b70fa733af20502d65f8cba25de1ded8a7b552322

Download Submit
\ProgramData\D28B.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1356-875-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1356-874-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1356-873-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1356-872-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1356-876-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1356-906-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1356-905-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2116-0-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads