Resubmissions
16-01-2025 09:46
250116-lrv4vsvrfl 1015-01-2025 12:06
250115-n97aystnfk 1015-01-2025 10:51
250115-mx45dssmbn 10Analysis
-
max time kernel
77s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
15-01-2025 12:06
General
-
Target
2025-01-15_274aee2df7cc4e710e92fd1cdf3c6149_darkside.exe
-
Size
149KB
-
MD5
274aee2df7cc4e710e92fd1cdf3c6149
-
SHA1
af5a7941c9daef02cc7d13e433227a96af79c50c
-
SHA256
6e8a174a9bcf36890ed5b6b3666400b2393a45eb21ffe826067e3124f1377c21
-
SHA512
3c9adc624bd18d51334216fc0f987df3b44202546ea58f08686d401fd2da0c1f603a3ff8f6d7225d612272cd083ccaad35ce5c1530640ae8042b62d3b80dc418
-
SSDEEP
1536:/zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDusQZpHk1/Rf1YW1Eb4QXIWLUyz:AqJogYkcSNm9V7DusUpE1phELlT
Malware Config
Extracted
C:\XIrEPF3D0.README.txt
lockbit
https://tox.chat/download.html
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Renames multiple (327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 6 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-15_274aee2df7cc4e710e92fd1cdf3c6149_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-15_274aee2df7cc4e710e92fd1cdf3c6149_darkside.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\342A.tmp"C:\ProgramData\342A.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\342A.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5201⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\ConvertFromConfirm.odt.XIrEPF3D01⤵
- Modifies registry class
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XIrEPF3D0.README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e285ab7ed9f2b787a25ee1189620c829
SHA144d42981e9136242f8597aa2d0d13a429196a8da
SHA2567f34eca59f099928cce8885ecb1ecc506a70c5238d7314fafbbf3112936f8076
SHA512fda42ddaa8199f8370409d8c8a3d66c5bb9ab98fee203616baa55dae3cd3e89a341ec2ad6152c8d9b522d05452681b327bd155cf97b4f66cb2426d05baeb5b5d
-
Filesize
149KB
MD5cd2a79ef79df60b2f5419f87ae9dbb02
SHA1e181fc97e65655869e8a2cbdd2189c5a201fd570
SHA25691611b6665c66ed640334df64dfcbb0a62dfb1f3d3b68d97d2417ce67629fdcc
SHA512a331feb27086f274a7439105a721980253e286b9dd6970a7b8adf8122efb7290e142ba12682227651fb01c4cceda593c4edbe093e2a2e6f5c03d7f43ddf0ebe6
-
Filesize
3KB
MD513bf9fb59bc3caa317d47f845baf0990
SHA160449459681777aa0e15620b08323c82722f519d
SHA256794ffaad0afeb3f5e3d08ba4f57d98ee1cfe4593abedd47692fc78136cb3c86e
SHA512b58cbcd263f2fc0cf3cfd7646e1cd11824dadb6777d48f9bb0a007b3c06c00e87f44caaf419f69c4fff3caa6c92a1b49662ac3de9cd4b59ea47e02b6757ad225
-
Filesize
129B
MD5017e7eb1a79638465c6c09baea654430
SHA183b773caf44805f0d8c33ace71883d33d09c5c93
SHA25610366c63191a1d59abbbc59ff1d3c9c111d38a2240994e8897296bd95ebc2681
SHA51288fcaecc763f90ca0ca1de0114cbc60ce9d2fba12c41ca926f663a521d4c22d611346ff4eb9156101e0da361f65269e911c4a279a6697820f4dc781f59106061
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
256KB