Resubmissions

06/06/2025, 14:39

250606-r1hssabj4x 10

06/06/2025, 05:05

250606-fqv5kswxaw 10

06/06/2025, 04:54

250606-fjmvmawwe1 10

05/06/2025, 17:23

250605-vyd9csfj4z 10

05/06/2025, 15:18

250605-spt74sen5t 10

05/06/2025, 15:06

250605-sg43cazmv9 10

05/06/2025, 15:02

250605-seepnsyyet 10

02/06/2025, 10:32

250602-mkxjsayzbv 10

Analysis

  • geolocation tags

    nanew-jerseynorth-americaunited-statesususa
  • max time kernel
    746s
  • max time network
    465s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 15:18

General

  • Target

    2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe

  • Size

    148KB

  • MD5

    cb6845218d57d663976bf1fa2a4d6ddb

  • SHA1

    0635c1f6cece23efe1df63de9cb72715c123cbaa

  • SHA256

    7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281

  • SHA512

    f0eff1a4c9a338ef2dece334d19fc9ef6ab421722e901ff0200de74e6df55594bca3abc43cebd0753fee47f71143e45097e74472b6e2b8b17e2bb28525ff5ea0

  • SSDEEP

    3072:46glyuxE4GsUPnliByocWepVfB4vN2H7/yXHKR9W4cn:46gDBGpvEByocWe3fB2NO7gP4

Malware Config

Extracted

Path

C:\g0Bwcr1Ri.README.txt

Ransom Note
******************************************************************************************** ************************ Your data are stolen and encrypted **************************** 1. How to contact? * 1. You can use tox: https://qtox.github.io/ send message to us. Tox ID : 465928E63E40E772C89D47543523651AA761E5CC0599ED43C0D6E3AE1EFB9A01C14457E1F32D * 2. You can send email to us, Email address : [email protected] Suggestion : Contact us in two ways at the same time, if you haven't received a reply to your email, please check your spam folder. 2. How to pay? * Contact us. 3. What guarantees that we will not deceive you? * We are not a politically motivated group and we do not need anything other than your money If you pay, we will provide you the programs for decryption and we will delete your data. * If we do not give you decrypters or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. * We attack the hundreds of companies and there is no dissatisfied victim after payment. 4. What happens if you do not pay? * If you don't pay, the data will be sold on auction platform after 72 hours, data will be bought by your competitors, and we will report your company fail to protect data as a result of a data breach to the data protection authority in your country, you could face significant fines. * Do not hesitate for a long time, the sooner pay, the sooner your company will be safe. * If you pay, we will delete data immediately, we can also provide you an paid hacking services. You can pay for the services after the hacking is successful. Please trust our strength. 5. Warning! * Do not DELETE or MODIFY any files, it can lead to recovery problems! * If you do not pay the ransom we will attack your company repeatedly again! *** Your DECRYPTION ID: 4DE13DAE43BC114D7BD10EAA5532D262 ************************ Your data are stolen and encrypted ************************** ******************************************************************************************
URLs

https://qtox.github.io/

Signatures

  • Renames multiple (699) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3704
    • C:\ProgramData\BE8E.tmp
      "C:\ProgramData\BE8E.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BE8E.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1584
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:3192
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{1045A5D2-84DC-4C72-8975-3C467F4B4C76}.xps" 133936105452110000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:1100

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini

            Filesize

            129B

            MD5

            bc5e43fcb25afd56df2ca6d8858d3b46

            SHA1

            fc64070c6a761e86f6a77442202fe7406719b5cb

            SHA256

            a7ed43ae8017a35384e59c4c5931176d47ae81beaebd1f04dd68e59fc0d2615a

            SHA512

            5acd44044a2eda97f137b6210d31c13b131dbfd8a17f08d03aba7f8f7ffbeaa2398f004de579817297eabcc1fddaa799fced033e4a41bd57f98c20be83cdf7c0

          • C:\ProgramData\BE8E.tmp

            Filesize

            14KB

            MD5

            294e9f64cb1642dd89229fff0592856b

            SHA1

            97b148c27f3da29ba7b18d6aee8a0db9102f47c9

            SHA256

            917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

            SHA512

            b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

            Filesize

            148KB

            MD5

            9cbdf12cf9251688d40d946624e309a5

            SHA1

            5b23529becdd0c5dcdac7468474e3db33542929b

            SHA256

            15fcab8cbbb4e6f6451c7fe9b85cd8a56fdb606ef1c1607ca42a29a79e3e01dd

            SHA512

            2e090ca54625ef13706cfc43b30e1d182774094845ea71d922d3e4c1007f0aa6db8ba35bf1d7c387b6cd61f143433e311c5f0353c0f606fb2d1483757a071ad5

          • C:\Users\Admin\AppData\Local\Temp\{F90AF491-99DE-4058-B814-B29154CADF67}

            Filesize

            4KB

            MD5

            898b89c79c293866088e839fd36e90c1

            SHA1

            c3be7e90dc0a471d323f2273840255a26b976921

            SHA256

            d316274f87664942fd9df797802320a4a22f01aa00f4c6d15b700bbaa4939857

            SHA512

            dd3f3f1c11b370d686da18d4a81372018077be08d273c194ae1843da54adc0628ea0f5f9a0cede17b0140c34b36993343ab6dbd0294dc74933172d78871cdf9c

          • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

            Filesize

            4KB

            MD5

            a6d1bed83277557c33a83a9fb3f0ec89

            SHA1

            0c7d74e6a1bd075ffb41d310efc2d6684e6ce383

            SHA256

            7aeb433c054610d042bb4ef3a5296d451fabef97317becb1fad65ffc996ca40e

            SHA512

            557bdeb0a2369f78f06821228b4cd33788e3e857300b9f2ad55cc34f8a2920db57103e97475eb27f7d0e2ee07fa1f635dc407361ce63fd10c72cf6a6517d6579

          • C:\g0Bwcr1Ri.README.txt

            Filesize

            2KB

            MD5

            b10fb6a4fb075eb70221d3a644ddc1c8

            SHA1

            70f57d7359875e2b3d13d019791468a27da07b7b

            SHA256

            cd7d12a8b250b5102d534cabdc2375f57871608338da8852f705d57bd47cecb5

            SHA512

            5737bc6be99c636f05fd2380f575c5de29bf6f9d6b723ca904678e78fce99fcf7b2c4e51c69b56b78fae1e192dba72bba2f2694d607340c074d2b3b600dd2dbe

          • F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\DDDDDDDDDDD

            Filesize

            129B

            MD5

            12ebda9d3882d04c3905f0bd1d8c46fe

            SHA1

            f2266d168d583c55b4a0403d5da7903c38500d40

            SHA256

            325c5878d545887bd5f1c574c842781c8cf5ca2b62804595656dda91a836bf86

            SHA512

            4860a888856278a330be198f1ab762e57c89388b917a7c54e36c7eaf4b24a220a95e3bafd3ec2828ec34291a2ce1f1c01d5b3c43a8ff2e55c7ec128e2f70eb00

          • memory/1100-3529-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp

            Filesize

            64KB

          • memory/1100-3563-0x00007FFCD40F0000-0x00007FFCD4100000-memory.dmp

            Filesize

            64KB

          • memory/1100-3528-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp

            Filesize

            64KB

          • memory/1100-3562-0x00007FFCD40F0000-0x00007FFCD4100000-memory.dmp

            Filesize

            64KB

          • memory/1100-3530-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp

            Filesize

            64KB

          • memory/1100-3532-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp

            Filesize

            64KB

          • memory/1100-3533-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp

            Filesize

            64KB

          • memory/2164-3512-0x00000000031D0000-0x00000000031E0000-memory.dmp

            Filesize

            64KB

          • memory/2164-2-0x00000000031D0000-0x00000000031E0000-memory.dmp

            Filesize

            64KB

          • memory/2164-0-0x00000000031D0000-0x00000000031E0000-memory.dmp

            Filesize

            64KB

          • memory/2164-3513-0x00000000031D0000-0x00000000031E0000-memory.dmp

            Filesize

            64KB

          • memory/2164-1-0x00000000031D0000-0x00000000031E0000-memory.dmp

            Filesize

            64KB

          • memory/2164-3511-0x00000000031D0000-0x00000000031E0000-memory.dmp

            Filesize

            64KB