Analysis Overview
SHA256
7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281
Threat Level: Known bad
The file 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Renames multiple (699) files with added filename extension
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Checks computer location settings
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Drops file in System32 directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Checks processor information in registry
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-05 15:18
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-05 15:18
Reported
2025-06-05 15:37
Platform
win10v2004-20250502-en
Max time kernel
746s
Max time network
465s
Command Line
Signatures
Renames multiple (699) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\ProgramData\BE8E.tmp | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\PPlu3c6e_wvkht5athwwr4qzrob.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPwlxs3z_007io6jpezy6s78x3c.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPufa2rn5vivj09x6ifmifoq1yc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\g0Bwcr1Ri.bmp" | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\g0Bwcr1Ri.bmp" | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\BE8E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.g0Bwcr1Ri | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.g0Bwcr1Ri\ = "g0Bwcr1Ri" | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri\DefaultIcon\ = "C:\\ProgramData\\g0Bwcr1Ri.ico" | C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
| N/A | N/A | C:\ProgramData\BE8E.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe
"C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{1045A5D2-84DC-4C72-8975-3C467F4B4C76}.xps" 133936105452110000
C:\ProgramData\BE8E.tmp
"C:\ProgramData\BE8E.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BE8E.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 52.109.6.63:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| CA | 142.250.69.35:80 | c.pki.goog | tcp |
Files
memory/2164-2-0x00000000031D0000-0x00000000031E0000-memory.dmp
memory/2164-0-0x00000000031D0000-0x00000000031E0000-memory.dmp
memory/2164-1-0x00000000031D0000-0x00000000031E0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini
| MD5 | bc5e43fcb25afd56df2ca6d8858d3b46 |
| SHA1 | fc64070c6a761e86f6a77442202fe7406719b5cb |
| SHA256 | a7ed43ae8017a35384e59c4c5931176d47ae81beaebd1f04dd68e59fc0d2615a |
| SHA512 | 5acd44044a2eda97f137b6210d31c13b131dbfd8a17f08d03aba7f8f7ffbeaa2398f004de579817297eabcc1fddaa799fced033e4a41bd57f98c20be83cdf7c0 |
C:\g0Bwcr1Ri.README.txt
| MD5 | b10fb6a4fb075eb70221d3a644ddc1c8 |
| SHA1 | 70f57d7359875e2b3d13d019791468a27da07b7b |
| SHA256 | cd7d12a8b250b5102d534cabdc2375f57871608338da8852f705d57bd47cecb5 |
| SHA512 | 5737bc6be99c636f05fd2380f575c5de29bf6f9d6b723ca904678e78fce99fcf7b2c4e51c69b56b78fae1e192dba72bba2f2694d607340c074d2b3b600dd2dbe |
F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\DDDDDDDDDDD
| MD5 | 12ebda9d3882d04c3905f0bd1d8c46fe |
| SHA1 | f2266d168d583c55b4a0403d5da7903c38500d40 |
| SHA256 | 325c5878d545887bd5f1c574c842781c8cf5ca2b62804595656dda91a836bf86 |
| SHA512 | 4860a888856278a330be198f1ab762e57c89388b917a7c54e36c7eaf4b24a220a95e3bafd3ec2828ec34291a2ce1f1c01d5b3c43a8ff2e55c7ec128e2f70eb00 |
memory/2164-3511-0x00000000031D0000-0x00000000031E0000-memory.dmp
memory/2164-3512-0x00000000031D0000-0x00000000031E0000-memory.dmp
memory/2164-3513-0x00000000031D0000-0x00000000031E0000-memory.dmp
memory/1100-3528-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp
C:\ProgramData\BE8E.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/1100-3530-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp
memory/1100-3532-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp
memory/1100-3533-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp
memory/1100-3529-0x00007FFCD6970000-0x00007FFCD6980000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 9cbdf12cf9251688d40d946624e309a5 |
| SHA1 | 5b23529becdd0c5dcdac7468474e3db33542929b |
| SHA256 | 15fcab8cbbb4e6f6451c7fe9b85cd8a56fdb606ef1c1607ca42a29a79e3e01dd |
| SHA512 | 2e090ca54625ef13706cfc43b30e1d182774094845ea71d922d3e4c1007f0aa6db8ba35bf1d7c387b6cd61f143433e311c5f0353c0f606fb2d1483757a071ad5 |
memory/1100-3562-0x00007FFCD40F0000-0x00007FFCD4100000-memory.dmp
memory/1100-3563-0x00007FFCD40F0000-0x00007FFCD4100000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{F90AF491-99DE-4058-B814-B29154CADF67}
| MD5 | 898b89c79c293866088e839fd36e90c1 |
| SHA1 | c3be7e90dc0a471d323f2273840255a26b976921 |
| SHA256 | d316274f87664942fd9df797802320a4a22f01aa00f4c6d15b700bbaa4939857 |
| SHA512 | dd3f3f1c11b370d686da18d4a81372018077be08d273c194ae1843da54adc0628ea0f5f9a0cede17b0140c34b36993343ab6dbd0294dc74933172d78871cdf9c |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | a6d1bed83277557c33a83a9fb3f0ec89 |
| SHA1 | 0c7d74e6a1bd075ffb41d310efc2d6684e6ce383 |
| SHA256 | 7aeb433c054610d042bb4ef3a5296d451fabef97317becb1fad65ffc996ca40e |
| SHA512 | 557bdeb0a2369f78f06821228b4cd33788e3e857300b9f2ad55cc34f8a2920db57103e97475eb27f7d0e2ee07fa1f635dc407361ce63fd10c72cf6a6517d6579 |