Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/04/2025, 15:08

General

  • Target

    2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe

  • Size

    153KB

  • MD5

    971b1c13e0efcb5b4ff57b5c67dff89f

  • SHA1

    ed70ff12beb69ede3e6eb7ee9416ad0a091ff2f2

  • SHA256

    f4b0e3079b13b0c117d358461348e4b15986b4b9173504605bc3035c53527df1

  • SHA512

    f82956ae6ce0110fe3670a04484f802473247d051faa56e7fccfe352812f291d70b49a477e6e73cd3da416d8434752617f8e6833f8aa78524f6a46881649ac40

  • SSDEEP

    3072:Q6glyuxE4GsUPnliByocWepKQiPCNK6bs44:Q6gDBGpvEByocWekovA44

Malware Config

Extracted

Path

C:\Users\V86sTiCVN.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 31AA38EAB9D3CB674AF390431475B34D >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly
URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Lockbit family
  • Renames multiple (588) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3968
    • C:\ProgramData\762B.tmp
      "C:\ProgramData\762B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\762B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3552
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5740
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{FCB93997-9C46-465A-993F-DAF0EBFE2238}.xps" 133896352967590000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3708

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-599783296-1627459723-2423478968-1000\JJJJJJJJJJJ

      Filesize

      129B

      MD5

      91033b3d59f65017a529bb0a109b7c07

      SHA1

      7cb56754e15310008efc439566740847314173f2

      SHA256

      d20428a5b6eb0bcd2558fcbd3ecab31d89451dbdd3956336f05e112a04444390

      SHA512

      09bef8b5ac06d7723bd41e47ee0508b75f90d235ecfe120cb513a4293dfa9c1aa15f4097d79508ad49f65f12767f7ababfedb6565848225a033af87b8db71695

    • C:\ProgramData\762B.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

      Filesize

      153KB

      MD5

      e3d37add22b687d836ff72de86572702

      SHA1

      eeadedb1e7215a96bffbb3945dff05e052c82d93

      SHA256

      f5f3bc9e35d876bae48df6de82392418e2d4416f928325722d68133a4674740f

      SHA512

      5af379bccdcfde0ab792a1a92d9a114435e46ba58b8271da258926835ba6904aa9941a050f8f364b0ac84ba7ee932f838e01bf500c909ce8f8fb67423c38d01e

    • C:\Users\Admin\AppData\Local\Temp\{D3178B67-1392-4681-9BAC-761DD79E0879}

      Filesize

      4KB

      MD5

      6881b836a342607405f90ca9b88f3d3a

      SHA1

      1a4b4e5b3e751307122e85a75558436c9bea67c0

      SHA256

      7797b4fcab5dc6a637a8a97683e9b1e30e74d5ada65d6f0b6f4379f9c0c8d931

      SHA512

      82c7b72df66a69e34e5ce84ade1d8a772387ad4649e41740e49865cde8ce362c7c02fce828c1226468442155ffa34cef65b3036f4cbe1c57453a1ef7a6f282e5

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      e28e8cf7fbc1b3c3117e501e7cefba32

      SHA1

      d677e0c9940dffa2815c746443d2e77d88780770

      SHA256

      fcc695367e4acddcf6ec4fba23b0777c558ebfb0b170f82751a7584bac0c9aba

      SHA512

      b35104077a57da5930df15b96d6c58a8c113a6eebe2d8c82423c84bb42923cf34dcb52ba72db7d5a6fd2cf6da7ba76442a02e8a8d1772eca2022bbba60b0d6e9

    • C:\Users\V86sTiCVN.README.txt

      Filesize

      6KB

      MD5

      b68e8700aaef67efa52ca6cc001e1ebc

      SHA1

      814a1dabc523fb9db85484e5df51d9e9a191593c

      SHA256

      617decb61b0a22b3bc50423b030e37df13d32f3c096dbf37d7e03cb9bd8b4eb2

      SHA512

      29f6d12968fe911cadfde2932c3ebffab71570b6fefd42dcc22aa2a595d8c8df29c29e41c4667a1a37f2de4f22fe4b0fa7969468d48f6351b13796337c6ad1fe

    • F:\$RECYCLE.BIN\S-1-5-21-599783296-1627459723-2423478968-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      9b01fbca2b2c155459eb316b38b47e70

      SHA1

      266eb2bc748e764ae13672c90fe378a3e5257c1e

      SHA256

      1c10b1797b4df711af5e3aeed5a6b9f40b109b31e75c97117a3c70e30827f5cc

      SHA512

      1c89e24f0500e49fde33c50f26642927ac9ff416aa85eebfc3fbb6ae82911f2244aa5dc5d8339bdea19b64859aabb000c383a000ab753cef07623bb0831e30ce

    • memory/3020-0-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

    • memory/3020-3561-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

    • memory/3020-3559-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

    • memory/3020-3560-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

    • memory/3020-1-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

    • memory/3020-2-0x00000000031D0000-0x00000000031E0000-memory.dmp

      Filesize

      64KB

    • memory/3708-3576-0x00007FF930B50000-0x00007FF930B60000-memory.dmp

      Filesize

      64KB

    • memory/3708-3578-0x00007FF930B50000-0x00007FF930B60000-memory.dmp

      Filesize

      64KB

    • memory/3708-3577-0x00007FF930B50000-0x00007FF930B60000-memory.dmp

      Filesize

      64KB

    • memory/3708-3580-0x00007FF930B50000-0x00007FF930B60000-memory.dmp

      Filesize

      64KB

    • memory/3708-3581-0x00007FF930B50000-0x00007FF930B60000-memory.dmp

      Filesize

      64KB

    • memory/3708-3610-0x00007FF92E190000-0x00007FF92E1A0000-memory.dmp

      Filesize

      64KB

    • memory/3708-3611-0x00007FF92E190000-0x00007FF92E1A0000-memory.dmp

      Filesize

      64KB