bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
Size

3.0MB
MD5

1a8a99c90906c349060944e027fd1550
SHA1

7edb6c08d439c0e581d7a387a2095300061c293a
SHA256

bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b
SHA512

846dc680a3d1c7487c3bc69ad07256377e2105b5de876997e0a59b64131324dcbc94a605c99a8bb89434e74c95dedff78bea7be116d41da1eb620bb1a7220497
SSDEEP

49152:9gCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/lc:+CPSpED/ppLh3ScE4X0ypED/pg

Score

7^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2756	jiedian.exe
2116	irsetup.exe
1924	lasse.exe
2260	DragonBox.exe

Loads dropped DLL 15 IoCs

pid	Process
2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
2756	jiedian.exe
2756	jiedian.exe
2756	jiedian.exe
2756	jiedian.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2116	irsetup.exe
2260	DragonBox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DragonBox = "C:\\Program Files (x86)\\DragonBox\\DragonBox.exe -autorun"	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DragonBox.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\inst.ini	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\selfUpdate.exe	lasse.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\walcome.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\walcome.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\update.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\doload.text	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\walcome.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\update.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\spsrv.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\tmpfomr.exe	lasse.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000017226-10.dat	upx
behavioral1/memory/2756-12-0x0000000002C90000-0x0000000002E11000-memory.dmp	upx
behavioral1/memory/2116-24-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral1/memory/2116-123-0x0000000001F30000-0x0000000001F40000-memory.dmp	upx
behavioral1/memory/2116-149-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\resdata.db-journal	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG2.JPG	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\skins\PixOS.ssk	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\uninstall.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uniF788.tmp	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\resdata.db	DragonBox.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uniF788.tmp	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiedian.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	DragonBox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	DragonBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	DragonBox.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1924	lasse.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2260	DragonBox.exe
2260	DragonBox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2260	DragonBox.exe
2260	DragonBox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
2116	irsetup.exe
2116	irsetup.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe
2260	DragonBox.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2668 wrote to memory of 2756	2668	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	30
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2756 wrote to memory of 2116	2756	jiedian.exe	31
PID 2116 wrote to memory of 2260	2116	irsetup.exe	35
PID 2116 wrote to memory of 2260	2116	irsetup.exe	35
PID 2116 wrote to memory of 2260	2116	irsetup.exe	35
PID 2116 wrote to memory of 2260	2116	irsetup.exe	35

C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
"C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\jiedian.exe
  "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-1506706701-1246725540-2219210854-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Program Files (x86)\DragonBox\DragonBox.exe
      "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2260

C:\ProgramData\Megic\lasse.exe
C:\ProgramData\Megic\lasse.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll

Filesize
1.3MB

MD5
73edb6d203e0230b2ab4e4da57dd6bee

SHA1
4a71903b57abd639425394340d1a6067da760f0a

SHA256
a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

SHA512
2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
4KB

MD5
b7836905546abd3f25e52cae93691c19

SHA1
7df88974881793978ed81e4104ca24515f957739

SHA256
8b4c18bd9884942b756571b0e47677f9ea2644f3ca7b8e5bcc051c35412834bb

SHA512
d4e63bb9d0f539e44284158bb129e32d58179590273e0b9bcdcf01992cd3f25f091ac3f5c9dd07c4b504469e5b776d3472f19c5e0bffe9dfc0ccc4602f5f9d01

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
5KB

MD5
d45f87cc877e16f61e49420a8f7493df

SHA1
3d832e1d52599a274ca3f7ad4b6a0ed9c629799d

SHA256
dabf7b0cc9a09741d0571946f4279aae694bce8b7d8e4c8043969f229733bafe

SHA512
5d93c61f379818e8d374790d406e80bb8c6ee3c0ff4e03ef1d3addb01c046a06e72bddb13ec989361808c0f491ad555d9aaa1e20fce733bf7a2416e17d609ece

Download Submit
C:\Program Files (x86)\DragonBox\gametypebak.json

Filesize
21KB

MD5
242aec89243b0957523287ae5d18b9b8

SHA1
9d54d2b8bf3d52d927fd89b172621d496b5f83e6

SHA256
e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

SHA512
a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
042bc14b5ec4a59244ac348812dc2e8a

SHA1
7adb7489f0971dfedf5fd7928bde722245c1f3f9

SHA256
20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

SHA512
4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
0c8197485fc42ac984d0984cb90e641c

SHA1
e3c7f68aa23561c89b2156e1e5efd07f04e0cd22

SHA256
3d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d

SHA512
15fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5

Download Submit
C:\Program Files (x86)\DragonBox\version.ini

Filesize
53B

MD5
1b38736d6e54c9b3b78807bbca68f348

SHA1
0cc44962449b1f54e1d2f606584ce513dc088cf6

SHA256
013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

SHA512
32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

Download Submit
C:\ProgramData\Megic\lasse.exe

Filesize
248KB

MD5
ecf79310b8a51b2a472689619d42a42c

SHA1
36e328fccda8f2f3d926e472d968072a9c732c0f

SHA256
6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

SHA512
321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\DragonBox.exe

Filesize
1.5MB

MD5
cbb2db2566dde5e2b9c6a636471ffa23

SHA1
38704738c646a9afa729cefd31ca0c8f28a9f54c

SHA256
4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

SHA512
572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
\Users\Admin\AppData\Local\Temp\jiedian.exe

Filesize
2.9MB

MD5
1641766934172d4ef320103147ba77f3

SHA1
8562b7fb3cad46e555bcfacfc14ad2924971955e

SHA256
dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

SHA512
ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

Download Submit
memory/2116-123-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/2116-24-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2116-149-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2756-22-0x0000000002C90000-0x0000000002E11000-memory.dmp

Filesize
1.5MB

Download
memory/2756-12-0x0000000002C90000-0x0000000002E11000-memory.dmp

Filesize
1.5MB

Download