Overview

overview

10

Static

static

10

2025-01-13...de.exe

windows7-x64

10

2025-01-13...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2025 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-13_204a6e377040484c69471170666d438e_darkside.exe

  • Size

    156KB

  • MD5

    204a6e377040484c69471170666d438e

  • SHA1

    ac2b038561f5768ecad430f1acd94987e6aeba03

  • SHA256

    b9844b013059f5378d1906fd756b41ae402ed4f47a70f1b679da0b5b74346236

  • SHA512

    3a4dd0190e64eb769475be5c41dcdb1174c8581117ca237ade626884ac10c235de560d71a027db4bd2fc5ebd2653d1fc4b31d691068a92a22bbeda5999deb495

  • SSDEEP

    3072:XDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368m/yactafNzFt3B3HwW:J5d/zugZqll3qyXkfNht

Score
10/10
defense_evasiondiscoveryransomware

Malware Config

Extracted

Path

C:\QHGbHpQ3N.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: A58A500505762AE9F64ED56944F6AA77 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (172) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-13_204a6e377040484c69471170666d438e_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-13_204a6e377040484c69471170666d438e_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\ProgramData\896B.tmp
      "C:\ProgramData\896B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\896B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2084
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2060
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini
      Filesize

      129B

      MD5

      87cfd624a426b509503696f41223f1e8

      SHA1

      9ec2dd6444616a82d51810f7104812bfbdf893ca

      SHA256

      b5b0c120fa7c878cd2714c48d8427442c8a37d41ecc9d9349efc149b9b52c53d

      SHA512

      67ae09e5eb003eadf82c94a6f561883bae9d00e859dd5d534894c0b13a10f23c3b74e486fdff12d9eca512da98acc46e7af76dd984fd40fcf86f118a4a45a736

      Download Submit

    • C:\QHGbHpQ3N.README.txt
      Filesize

      3KB

      MD5

      328c4054ffb9e3cd9997feaea72e7e81

      SHA1

      3f5c3efbaf4f021388d3bcb58da8043cfddb977d

      SHA256

      b66667355cde3aa204389d9a6de08aa2c833a342a8a5095e374c5b6fcff9ed99

      SHA512

      665bf1a95553f19a85000b0d15a15abe150eaf394d2df1de83e22aee9a16ecb56c764c05d28b03a283f2f9eefda1a276f74bcb978b923a948db6414534b89fda

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      156KB

      MD5

      44458c669eafef7ff968f5d00e67d1ad

      SHA1

      6147f983f1b0bace0f321caede32dc576f8d596c

      SHA256

      abe66445424368ab91f284a5a44dbbd55195cd33d2f65e3b675af843edc7bb87

      SHA512

      b275efb44344000125b94c59e9ff46368722ffdea8f7f51a11823ef622d06d21f979a91acb08c6ed70f02a74aea8ca11b4aaa7c5f6c4a48b77a0feae1178e58d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      19e5f388a7d4093b6b1239b6facd7adf

      SHA1

      4e3fa7892b4c6c4104cd14681ab6e18e1081cd84

      SHA256

      7d11d0ae3b4054a40f3cfe0f0d59725f6529db70721ef44cb9c0c749774f01c2

      SHA512

      3cb3c3f84c7a11080f2d192cea7ad0865f1f148a396d17fcdf8ac2305514bb7658ca856dccdac0f56d2658d105bdfe21eee43249d973d1327a825b52e1e9b627

      Download Submit

    • \ProgramData\896B.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2288-0-0x0000000000D00000-0x0000000000D40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2644-304-0x00000000002E0000-0x0000000000320000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2644-306-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-305-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-303-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-337-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2644-338-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download