Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 16:31
Behavioral task
behavioral1
Sample
2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe
-
Size
153KB
-
MD5
93cf3fe77915d035f83391341aecc34d
-
SHA1
2ec1b0cf53e0899d31619c1b315f42d5a92c4614
-
SHA256
ce3213c5ed329edd8fb73a20e3428b753814df3d2f9425662656aea3f2ad616a
-
SHA512
d691d904329739a9253cf63836f3fa8d752f81bd4adc020acdb6b42910179f73fcd691b383157c4a8990e9600f47d63c0b2c678049b462b6fbba06d3af124053
-
SSDEEP
1536:szICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD56t3z+ByoGXhYW/pc03tEffioq:DqJogYkcSNm9V7D56lXXhYFZhAbtzT
Malware Config
Extracted
C:\LFzM1x1jR.README.txt
lockbit
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
http://lockbitapt.uz
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly
http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly
http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly
http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupp.uz
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 944 233A.tmp -
Executes dropped EXE 1 IoCs
pid Process 944 233A.tmp -
Loads dropped DLL 1 IoCs
pid Process 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\LFzM1x1jR.bmp" 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\LFzM1x1jR.bmp" 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 944 233A.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 233A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.LFzM1x1jR 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.LFzM1x1jR\ = "LFzM1x1jR" 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LFzM1x1jR\DefaultIcon 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LFzM1x1jR 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LFzM1x1jR\DefaultIcon\ = "C:\\ProgramData\\LFzM1x1jR.ico" 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp 944 233A.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeDebugPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: 36 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeImpersonatePrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeIncBasePriorityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeIncreaseQuotaPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: 33 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeManageVolumePrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeProfSingleProcessPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeRestorePrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSystemProfilePrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeTakeOwnershipPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeShutdownPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeDebugPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeBackupPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe Token: SeSecurityPrivilege 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2984 wrote to memory of 944 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 31 PID 2984 wrote to memory of 944 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 31 PID 2984 wrote to memory of 944 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 31 PID 2984 wrote to memory of 944 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 31 PID 2984 wrote to memory of 944 2984 2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe 31 PID 944 wrote to memory of 2236 944 233A.tmp 32 PID 944 wrote to memory of 2236 944 233A.tmp 32 PID 944 wrote to memory of 2236 944 233A.tmp 32 PID 944 wrote to memory of 2236 944 233A.tmp 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-11_93cf3fe77915d035f83391341aecc34d_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\ProgramData\233A.tmp"C:\ProgramData\233A.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\233A.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5961d5bdad1e2588a7a08c27e9a165c34
SHA10447f14a873c063efba93749444567e74e918350
SHA256a2e428f613e3cc6ec6af35fd29e1409689b699a187ea38e66e7f58238ab16a61
SHA512531946f0a9b07f68dbc1a8d711fd4fb89787b2262cdae842df37135ed33d41fe928d26e1440d4c5f43fa0b5e0813527e2775d6063efe43c30f296115483c2f8d
-
Filesize
6KB
MD5dd746ace17e44ace00885b91400f11d5
SHA14a0302d2dca400598f396e4230fdae71779cbeaa
SHA256b27c3c8a30faf7c76483b7e5d964ae85046a9713caa46508ee7a1e31b7dc6272
SHA5128ac26aa7262fdf1afdc74e604720a79ebde076c75f460d7d5f57ff4d81dedb1ad471eb114ddd428c1934029746f5c222339090680bc77a6ea09ce329e1da3ef1
-
Filesize
153KB
MD53629cd0a60e94d566d704d991f045a21
SHA12b19c1d68dbe56e9af06737eebf0575718d33f00
SHA256218d7adb00c8edc6cc25c33620493f81c09bf879b48e111d2472c29493bb78ab
SHA512b98958bee3104c4f04b15bd53a582d23730aebc5c1618899b5630387b7da65207dad853c56859d876e4667290fb7c5125f223ae20d75534ed3457bc8b1945090
-
Filesize
129B
MD5e3683aa455bf07438efd0bc57a6eed54
SHA12b1bc3e8538f8ff2e0b964a157aa5ab9f534b6c9
SHA2567db5d1b60025d588cf5ed2bea1e130f87a12cee4b60d9d7ddf4080665284c2b6
SHA512a9f3eab8e541f6c1596a96055e11e290d6fcea436a78c8227bf93e8b030af6751990beb8bb268ce42386eb9c1c3996c3fd2a226534678f49a0ddc9c51588dd5f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf