Overview

overview

10

Static

static

10

2025-01-15...de.exe

windows7-x64

10

2025-01-15...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2025 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-15_274aee2df7cc4e710e92fd1cdf3c6149_darkside.exe

  • Size

    149KB

  • MD5

    274aee2df7cc4e710e92fd1cdf3c6149

  • SHA1

    af5a7941c9daef02cc7d13e433227a96af79c50c

  • SHA256

    6e8a174a9bcf36890ed5b6b3666400b2393a45eb21ffe826067e3124f1377c21

  • SHA512

    3c9adc624bd18d51334216fc0f987df3b44202546ea58f08686d401fd2da0c1f603a3ff8f6d7225d612272cd083ccaad35ce5c1530640ae8042b62d3b80dc418

  • SSDEEP

    1536:/zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDusQZpHk1/Rf1YW1Eb4QXIWLUyz:AqJogYkcSNm9V7DusUpE1phELlT

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\XIrEPF3D0.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019 ~~~ >>>>> Your data are stolen and encrypted! The data will be published and sold on Dark Web if you do not pay the ransom. >>>>> What guarantees that we will not deceive you? We are the oldest extortion gang on the planet and nothing is more important to us than our reputation. We are not a politically motivated group and want nothing but financial rewards for our work. If we defraud even one client, other clients will not pay us. In 5 years, not a single client has been left dissatisfied after making a deal with us. If you pay the ransom, we will fulfill all the terms we agreed upon during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators' salaries. >>>>> Warning! Do not delete or modify encrypted files, it will lead to irreversible problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you. They will forbid you from paying the ransom and will not help you in any way, you will be left with encrypted files and your business will die. >>>>> When buying bitcoin, do not tell anyone the true purpose of the purchase. Some brokers, especially in the US, do not allow you to buy bitcoin to pay ransom. Communicate any other reason for the purchase, such as: personal investment in cryptocurrency, bitcoin as a gift, paying to buy assets for your business using bitcoin, cryptocurrency payment for consulting services, cryptocurrency payment for any other services, cryptocurrency donations, buying bitcoin to participate in ICO and buy other cryptocurrencies, buying cryptocurrencies to leave an inheritance for your children, or any other purpose for buying cryptocurrency. Also you can use adequate cryptocurrency brokers who do not ask questions for what you buy cryptocurrency. >>>>> After buying cryptocurrency from a broker, store the cryptocurrency on a cold wallet, such as - or any other cold cryptocurrency wallet, more details on https://bitcoin.org. By paying the ransom from your personal cold cryptocurrency wallet, you will avoid any problems from regulators, police and brokers. >>>>> Don't be afraid of any legal consequences, you were very scared, that's why you followed all our instructions, it's not your fault if you are very scared. Not a single company that paid us has had issues. Any excuses are just for insurance company to not pay on their obligation. >>>>> You need to contact us using qTox messenger: https://tox.chat/download.html Using qTox messenger, state the name of your company because you are not the only one we target. Our Tox ID (Striker): 91484E29483E5AF0F3C99BE4F3B9B15A2758B945C839097D0C90E88D66486442D96365D2E29E You only have 3 days to contact us.
URLs

https://tox.chat/download.html

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Lockbit family
    lockbit
  • Renames multiple (345) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-15_274aee2df7cc4e710e92fd1cdf3c6149_darkside.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-15_274aee2df7cc4e710e92fd1cdf3c6149_darkside.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\ProgramData\FDCF.tmp
      "C:\ProgramData\FDCF.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FDCF.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1760
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini
      Filesize

      129B

      MD5

      5af9ac095cf504e20718791cb06908dc

      SHA1

      c92a114b3050404bca0caa410b54ce5c058d0d47

      SHA256

      5281756ea702c6eb1926bfd28cb2c50ff3796c017e2681cd30fe27ac7732bf12

      SHA512

      fdaae51ac27168f6ad3f80677e70a9cffb9f37bfd8bf3e707c45a0fea2afd68e40ac383917c27945920feef280615917325c1c1afef116daa76b32940dbe3f8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      149KB

      MD5

      2c29c84578c7d72dc7e0430f96d8e4af

      SHA1

      018da0b70228f559416f8ba2c0d52663041864bb

      SHA256

      5ba5e573324e1099557cf5466c6518041e5d4424463f3074669f5d3d04762179

      SHA512

      e1fa5f72c5979c92b1a01ec21b650b07fa389aa52b332ebd69a411cfc69f4d82d1ef570bbfffab939a56c3ba0a70ad7e7f4112a8130c3fe822fc02707370d20c

      Download Submit

    • C:\XIrEPF3D0.README.txt
      Filesize

      3KB

      MD5

      13bf9fb59bc3caa317d47f845baf0990

      SHA1

      60449459681777aa0e15620b08323c82722f519d

      SHA256

      794ffaad0afeb3f5e3d08ba4f57d98ee1cfe4593abedd47692fc78136cb3c86e

      SHA512

      b58cbcd263f2fc0cf3cfd7646e1cd11824dadb6777d48f9bb0a007b3c06c00e87f44caaf419f69c4fff3caa6c92a1b49662ac3de9cd4b59ea47e02b6757ad225

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      e3f0d5835ed8944ec0da21e48cb743bd

      SHA1

      a8fe0435eee1e054d47f00b9b790e1608f18af68

      SHA256

      694c51e9347bb04ef7b4e7cfede2f428132e327d3aeabc252ee7cd36ef809a4f

      SHA512

      f2dde352ee0d76e4181f3973b12521c6184d06426390c8bb36d7890bde500ec0a132a9c9dfce0951e00fd61569dcf4acc0f559c247f7bb4ed1343b1296206ce8

      Download Submit

    • \ProgramData\FDCF.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/932-878-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/932-880-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1928-0-0x0000000000500000-0x0000000000540000-memory.dmp

      Filesize

      256KB

      Download