Overview

overview

8

Static

static

2819f3bba9...bb.exe

windows7-x64

8

2819f3bba9...bb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 19:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2819f3bba9a58f832a5528bf4f635b5f9b02684607271ec72956ee5fd1688fbb.exe

  • Size

    3.0MB

  • MD5

    a34fa2bd6f8c26f24c0fbe9865248d5d

  • SHA1

    dd76cfd025fa5147d96b81ea8410142e75d6d877

  • SHA256

    2819f3bba9a58f832a5528bf4f635b5f9b02684607271ec72956ee5fd1688fbb

  • SHA512

    ecc6444739bbc5455d177f23b41cddc9e96b46ac8a0a6726df756e0ae695f6afa2627337d06eb5ef92f44b9e66da2bc87ac888794768a2901dd3c6b282da6b83

  • SSDEEP

    49152:SgCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/ln:HCPSpED/ppLh3ScE4X0ypED/pT

Score
8/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2819f3bba9a58f832a5528bf4f635b5f9b02684607271ec72956ee5fd1688fbb.exe
    "C:\Users\Admin\AppData\Local\Temp\2819f3bba9a58f832a5528bf4f635b5f9b02684607271ec72956ee5fd1688fbb.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\jiedian.exe
      "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-2891029575-1462575-1165213807-1000"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Program Files (x86)\DragonBox\DragonBox.exe
          "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3708
  • C:\ProgramData\Megic\lasse.exe
    C:\ProgramData\Megic\lasse.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:4244

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\DragonBox\DragonBox.exe
          Filesize

          1.5MB

          MD5

          cbb2db2566dde5e2b9c6a636471ffa23

          SHA1

          38704738c646a9afa729cefd31ca0c8f28a9f54c

          SHA256

          4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

          SHA512

          572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

          Download Submit

        • C:\Program Files (x86)\DragonBox\DragonBox.exe
          Filesize

          1.5MB

          MD5

          cbb2db2566dde5e2b9c6a636471ffa23

          SHA1

          38704738c646a9afa729cefd31ca0c8f28a9f54c

          SHA256

          4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

          SHA512

          572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

          Download Submit

        • C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll
          Filesize

          1.3MB

          MD5

          73edb6d203e0230b2ab4e4da57dd6bee

          SHA1

          4a71903b57abd639425394340d1a6067da760f0a

          SHA256

          a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

          SHA512

          2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

          Download Submit

        • C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll
          Filesize

          1.3MB

          MD5

          73edb6d203e0230b2ab4e4da57dd6bee

          SHA1

          4a71903b57abd639425394340d1a6067da760f0a

          SHA256

          a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

          SHA512

          2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

          Download Submit

        • C:\Program Files (x86)\DragonBox\gametypebak.json
          Filesize

          21KB

          MD5

          242aec89243b0957523287ae5d18b9b8

          SHA1

          9d54d2b8bf3d52d927fd89b172621d496b5f83e6

          SHA256

          e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

          SHA512

          a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

          Download Submit

        • C:\Program Files (x86)\DragonBox\setting.ini
          Filesize

          77B

          MD5

          042bc14b5ec4a59244ac348812dc2e8a

          SHA1

          7adb7489f0971dfedf5fd7928bde722245c1f3f9

          SHA256

          20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

          SHA512

          4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

          Download Submit

        • C:\Program Files (x86)\DragonBox\version.ini
          Filesize

          53B

          MD5

          1b38736d6e54c9b3b78807bbca68f348

          SHA1

          0cc44962449b1f54e1d2f606584ce513dc088cf6

          SHA256

          013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

          SHA512

          32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

          Download Submit

        • C:\ProgramData\Megic\lasse.exe
          Filesize

          248KB

          MD5

          ecf79310b8a51b2a472689619d42a42c

          SHA1

          36e328fccda8f2f3d926e472d968072a9c732c0f

          SHA256

          6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

          SHA512

          321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

          Download Submit

        • C:\ProgramData\Megic\lasse.exe
          Filesize

          248KB

          MD5

          ecf79310b8a51b2a472689619d42a42c

          SHA1

          36e328fccda8f2f3d926e472d968072a9c732c0f

          SHA256

          6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

          SHA512

          321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
          Filesize

          566KB

          MD5

          3fe7c92dba5c9240b4ab0d6a87e6166a

          SHA1

          7980d7dffc073515b621834246dda33ab00c308d

          SHA256

          a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

          SHA512

          bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
          Filesize

          566KB

          MD5

          3fe7c92dba5c9240b4ab0d6a87e6166a

          SHA1

          7980d7dffc073515b621834246dda33ab00c308d

          SHA256

          a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

          SHA512

          bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jiedian.exe
          Filesize

          2.9MB

          MD5

          1641766934172d4ef320103147ba77f3

          SHA1

          8562b7fb3cad46e555bcfacfc14ad2924971955e

          SHA256

          dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

          SHA512

          ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jiedian.exe
          Filesize

          2.9MB

          MD5

          1641766934172d4ef320103147ba77f3

          SHA1

          8562b7fb3cad46e555bcfacfc14ad2924971955e

          SHA256

          dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

          SHA512

          ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

          Download Submit

        • memory/1564-141-0x0000000000400000-0x0000000000581000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1564-140-0x0000000000400000-0x0000000000581000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1564-149-0x0000000000400000-0x0000000000581000-memory.dmp

          Filesize

          1.5MB

          Download