File name:	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit
Full analysis:	https://app.any.run/tasks/f207dd2e-55fe-44d2-8052-482a4a6d2e79
Verdict:	Malicious activity
Threats:	LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 16:52:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lockbit ransomware arch-scr
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	3DFD85447B58DD8369F27C495E846E98
SHA1:	ED991B92EC7161442C449EDF62B22A3D3CF20C95
SHA256:	D64F55A0EAFC1E08231B95D4CB1F89AA60E7A8F8A6D99F2976D4DDEFB5A94F2D
SSDEEP:	3072:SmhXodguLP/5qUpfDT6zT73g9uMkHUOE8CVSrB85R:yKzAMS8CAr+5

.dll	\|	Win32 Dynamic Link Library (generic) (38.3)
.exe	\|	Win32 Executable (generic) (26.2)
.exe	\|	Win16/32 Executable Delphi generic (12)
.exe	\|	Generic Win/DOS Executable (11.6)
.exe	\|	DOS Executable Generic (11.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:09:09 01:27:01+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.12
CodeSize:	99328
InitializedDataSize:	50688
UninitializedDataSize:	-
EntryPoint:	0x1946f
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(4776) dllhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(2108) ShellExperienceHost.exe	Key:	\REGISTRY\A\{4d4642ac-28c5-fc95-4165-b6249677214f}\LocalState
Operation:	write	Name:	PeekBadges
Value: 5B005D000000F825A02FDD9CDB01
(PID) Process:	(6404) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aBKVixsiM\OpenWithProgids
Operation:	write	Name:	aBKVixsiM
Value:
(PID) Process:	(5072) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aBKVixsiM\OpenWithProgids
Operation:	write	Name:	aBKVixsiM
Value:
(PID) Process:	(6572) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aBKVixsiM\OpenWithProgids
Operation:	write	Name:	aBKVixsiM
Value:
(PID) Process:	(3020) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aBKVixsiM\OpenWithProgids
Operation:	write	Name:	aBKVixsiM
Value:
(PID) Process:	(456) OpenWith.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aBKVixsiM\OpenWithProgids
Operation:	write	Name:	aBKVixsiM
Value:
(PID) Process:	(6660) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	SafeSearchMode
Value: 1
(PID) Process:	(6660) SearchApp.exe	Key:	\REGISTRY\A\{98a1ed5b-dd81-869b-b290-5f8c70aa1ea0}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_USEREMAIL
Value: 0000187DA377DD9CDB01
(PID) Process:	(6660) SearchApp.exe	Key:	\REGISTRY\A\{98a1ed5b-dd81-869b-b290-5f8c70aa1ea0}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value: 0000FEE2A677DD9CDB01

PID	Process	Filename		Type
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\IIIIIIIIIII		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\FFFFFFFFFFF		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\BBBBBBBBBBB		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\GGGGGGGGGGG		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\AAAAAAAAAAA		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\NNNNNNNNNNN		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\JJJJJJJJJJJ		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\KKKKKKKKKKK		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\PPPPPPPPPPP		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22
1512	2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit.exe	C:\$Recycle.Bin\S-1-5-18\RRRRRRRRRRR		binary
		MD5:350EB1DA59F2BE1A1119F36B1023C738	SHA256:8DF95694F22989F9AC5DFC4FA3C4ABDBB1118F18B4617B872B5105D845F73D22

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	204	2.23.227.208:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	GET	200	2.23.227.208:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.46 Kb	whitelisted
—	—	GET	200	2.23.227.208:443	https://www.bing.com/rb/6i/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AcoK&or=w	unknown	text	6 b	whitelisted
—	—	GET	200	2.23.227.215:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	binary	21.3 Kb	whitelisted
—	—	GET	200	2.23.227.215:443	https://www.bing.com/rb/16/jnc,nj/pNXV2ymlrFEAOVLUgJkRBRwYFkY.js?bu=Diozf4wBkwGWAYkBggGGAcQBxwEzuwHKAQ&or=w	unknown	binary	21.7 Kb	whitelisted
—	—	GET	200	2.23.227.215:443	https://www.bing.com/rb/19/cir3,ortl,cc,nc/vOJNaIfAXvJzmnBm845ss-M9YR8.css?bu=B4QDRvEC1gFkZI8D&or=w	unknown	text	5.97 Kb	whitelisted
—	—	GET	200	2.23.227.208:443	https://www.bing.com/rp/-iNIzuEypRdgRJ6xnyVHizZ3bpM.br.js	unknown	binary	17.0 Kb	whitelisted
—	—	GET	200	2.23.227.215:443	https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init	unknown	html	127 Kb	whitelisted
—	—	GET	200	2.23.227.208:443	https://www.bing.com/rb/19/cir3,ortl,cc,nc/FgBbpIj0thGWZOh_xFnM9i4O7ek.css?bu=C_QJ-AOrBcoKrgmYCbcHZGRkZA&or=w	unknown	text	19.8 Kb	whitelisted
—	—	GET	200	2.23.227.215:443	https://www.bing.com/rp/0u2b9EXo8LdXut1MFm4AD0phBuM.br.js	unknown	binary	1.44 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6660	SearchApp.exe	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	172.217.16.206	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted

General Info

2025-03-24_3dfd85447b58dd8369f27c495e846e98_darkside_lockbit

3DFD85447B58DD8369F27C495E846E98

ED991B92EC7161442C449EDF62B22A3D3CF20C95

D64F55A0EAFC1E08231B95D4CB1F89AA60E7A8F8A6D99F2976D4DDEFB5A94F2D

3072:SmhXodguLP/5qUpfDT6zT73g9uMkHUOE8CVSrB85R:yKzAMS8CAr+5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Known privilege escalation attack

RANSOMWARE has been detected

[YARA] LockBit is detected

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Renames files like ransomware

SUSPICIOUS

Reads security settings of Internet Explorer

Write to the desktop.ini file (may be used to cloak folders)

INFO

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads the computer name

Checks supported languages

Creates files in the program directory

Manual execution by a user

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings