Overview

overview

10

Static

static

10

2025-03-25...it.exe

windows7-x64

10

2025-03-25...it.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-25_9c538ff5f541f0e8b9b2cc8386b40c65_darkside_lockbit.exe

  • Size

    146KB

  • MD5

    9c538ff5f541f0e8b9b2cc8386b40c65

  • SHA1

    689fcc9c3a30efe6ff5bee231506bf3c4637e6e8

  • SHA256

    90fcaf3926265ba790e6245975b3106617b89f4d7fe2a7733a6ecd0f7ac79bb2

  • SHA512

    1367c402cab5e89d6863f9dad5faf497d7e15a8ce9a0644c314f523d2435f95286048ef4d87c65096a024c6f4a299049f15d863c30054ef666fa053102c25122

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS7:V6gDBGpvEByocWeauV2gvzwUg

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C384686CA4FA0A3DF >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (313) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-25_9c538ff5f541f0e8b9b2cc8386b40c65_darkside_lockbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-25_9c538ff5f541f0e8b9b2cc8386b40c65_darkside_lockbit.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\ProgramData\2EED.tmp
      "C:\ProgramData\2EED.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2EED.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\EEEEEEEEEEE
      Filesize

      129B

      MD5

      1c10b9138c945bbb6c760d471a6f6e47

      SHA1

      0b163459aa18f4bc76de32c239e35f6e2a8bbc0c

      SHA256

      d7fafe7d18eaa045a284c2b10fccd6d092e7ca4c150c56470ef1bad0f579b928

      SHA512

      faf575a16bd876e4095cd4324b5c1075d6c8991104387249881ce1a192cf1a191d8e6c6f04f59cd34c2d1da6a18189f52e6e360c8b07b2e56391eb309bcc0b34

      Download Submit

    • C:\7V7uPExzv.README.txt
      Filesize

      1KB

      MD5

      e31d8e5ec89c1cee2572ed37d1829c7d

      SHA1

      4b2d7d7386c44771a5e00baefe11752e29cc0c16

      SHA256

      da5d335038cc79a256c88bca5d1c429ebf790678fa85d46339b818d4ab0a91ed

      SHA512

      8af01d55743e41d93c53520172a16ed3e51c4b743af3ce1f2c4bc757f780c631fd598c87c896b8df8b276ef620975c27e199d06122034b644bcf5e0af58995d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      2501f613fc16c7f37681c9488630f3ea

      SHA1

      ef611c90f85ebba27d42770681cfd882e88de4c8

      SHA256

      34d7ba71d0f836a8bc5aaea1354b953b81b1d3136b7be6e930c2cfcd7b9f929e

      SHA512

      1b0477f7fb822c45841333d236bb6571323ca3e793e9e58a24f81c2c9590587e03486eeea0fde3953de6d5d011d0e873d6948e0a952e9305b4812906755366f3

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      0a8404171e12abfd85912011693638e9

      SHA1

      1f91004dc29f6f25003342fdb2e3de81ccebd878

      SHA256

      76b2a33621c0de31d05b30c9ef821493f273bbcf7f840bcb5682acc3622d4c95

      SHA512

      57811ce85f3e40fe18a31ba7187468a47b328723c784747aba1bce1575400d5e5d73f09aec3592f6d59d642524bab7cb6ac847de0c527cae5def3112797deb99

      Download Submit

    • \ProgramData\2EED.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2192-837-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2192-839-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2192-840-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2192-841-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3028-1-0x0000000000100000-0x0000000000140000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3028-0-0x0000000000100000-0x0000000000140000-memory.dmp

      Filesize

      256KB

      Download