bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
Size

3.0MB
MD5

1a8a99c90906c349060944e027fd1550
SHA1

7edb6c08d439c0e581d7a387a2095300061c293a
SHA256

bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b
SHA512

846dc680a3d1c7487c3bc69ad07256377e2105b5de876997e0a59b64131324dcbc94a605c99a8bb89434e74c95dedff78bea7be116d41da1eb620bb1a7220497
SSDEEP

49152:9gCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/lc:+CPSpED/ppLh3ScE4X0ypED/pg

Score

7^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	jiedian.exe

Executes dropped EXE 4 IoCs

pid	Process
3564	jiedian.exe
1876	irsetup.exe
4116	lasse.exe
2660	DragonBox.exe

Loads dropped DLL 1 IoCs

pid	Process
2660	DragonBox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DragonBox = "C:\\Program Files (x86)\\DragonBox\\DragonBox.exe -autorun"	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DragonBox.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\doload.text	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\tmpfomr.exe	lasse.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\tmpfomr.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\tmpfomr.exe	lasse.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\inst.ini	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\selfUpdate.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\walcome.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\update.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\spsrv.exe	lasse.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\walcome.exe	lasse.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c7f-10.dat	upx
behavioral2/memory/1876-17-0x0000000000400000-0x0000000000581000-memory.dmp	upx
behavioral2/memory/1876-135-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\DragonBox.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\skins\PixOS.ssk	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uniB3CF.tmp	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\Thumbs.db	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\klist.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\right.html	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\setting.ini	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\svcupdate.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\404.html	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Update.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\resdata.db	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\gametypebak.json	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\resdata.db-journal	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\uninstall.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\html\images\logo.gif	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\unrar.dll	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\setting.ini	DragonBox.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\uniB3CF.tmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\WebGame.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\DragonBox\version.ini	irsetup.exe
File created	C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiedian.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DragonBox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\IESettingSync	DragonBox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	DragonBox.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	DragonBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	DragonBox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4116	lasse.exe
4116	lasse.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2660	DragonBox.exe
2660	DragonBox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2660	DragonBox.exe
2660	DragonBox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3820	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
1876	irsetup.exe
1876	irsetup.exe
1876	irsetup.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe
2660	DragonBox.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 3564	3820	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	85
PID 3820 wrote to memory of 3564	3820	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	85
PID 3820 wrote to memory of 3564	3820	bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe	85
PID 3564 wrote to memory of 1876	3564	jiedian.exe	87
PID 3564 wrote to memory of 1876	3564	jiedian.exe	87
PID 3564 wrote to memory of 1876	3564	jiedian.exe	87
PID 1876 wrote to memory of 2660	1876	irsetup.exe	90
PID 1876 wrote to memory of 2660	1876	irsetup.exe	90
PID 1876 wrote to memory of 2660	1876	irsetup.exe	90

C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
"C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\jiedian.exe
  "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-4050598569-1597076380-177084960-1000"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files (x86)\DragonBox\DragonBox.exe
      "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2660

C:\ProgramData\Megic\lasse.exe
C:\ProgramData\Megic\lasse.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DragonBox\DragonBox.exe

Filesize
1.5MB

MD5
cbb2db2566dde5e2b9c6a636471ffa23

SHA1
38704738c646a9afa729cefd31ca0c8f28a9f54c

SHA256
4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

SHA512
572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

Download Submit
C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll

Filesize
1.3MB

MD5
73edb6d203e0230b2ab4e4da57dd6bee

SHA1
4a71903b57abd639425394340d1a6067da760f0a

SHA256
a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

SHA512
2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
4KB

MD5
974b742d2559b60a336498ebf762b628

SHA1
3bf564d3e55e5fd5665a87d16ff920b3ef977105

SHA256
1d6edc23d178fb381a93594a75588133dcce37bc742a08ae9df86e34d60f169f

SHA512
64b93384e1ac7433f1452c79d4c2687cf367824e7f44933a042821d5214f5de7d7561ff8c7ccf13b2533454f62206e2c095ceec0e6bb2bb789f430f1e0c982a3

Download Submit
C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

Filesize
4KB

MD5
93bb2f7b51110cbccf20f37888d4a73f

SHA1
bc4da28a09f2e3b203e4ee1000a15028a0b2250a

SHA256
5c489fa8fd7dce7ec21141b33b177951a05cb56afff5a439e599f91120f87d4a

SHA512
4fdc350d9f9084ed367012555e9dec27245bbadda81673008715fa9b1a92b8cd4d3572e805f04ffc4831df402c9e62b066961965cf8c484da0a6087e43f2db1f

Download Submit
C:\Program Files (x86)\DragonBox\gametypebak.json

Filesize
21KB

MD5
242aec89243b0957523287ae5d18b9b8

SHA1
9d54d2b8bf3d52d927fd89b172621d496b5f83e6

SHA256
e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

SHA512
a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
042bc14b5ec4a59244ac348812dc2e8a

SHA1
7adb7489f0971dfedf5fd7928bde722245c1f3f9

SHA256
20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

SHA512
4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

Download Submit
C:\Program Files (x86)\DragonBox\setting.ini

Filesize
77B

MD5
0c8197485fc42ac984d0984cb90e641c

SHA1
e3c7f68aa23561c89b2156e1e5efd07f04e0cd22

SHA256
3d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d

SHA512
15fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5

Download Submit
C:\Program Files (x86)\DragonBox\version.ini

Filesize
53B

MD5
1b38736d6e54c9b3b78807bbca68f348

SHA1
0cc44962449b1f54e1d2f606584ce513dc088cf6

SHA256
013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

SHA512
32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

Download Submit
C:\ProgramData\Megic\lasse.exe

Filesize
248KB

MD5
ecf79310b8a51b2a472689619d42a42c

SHA1
36e328fccda8f2f3d926e472d968072a9c732c0f

SHA256
6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

SHA512
321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
11KB

MD5
d1b051718019662c277bab1e4103c9ad

SHA1
ede02518fbeaf10d23ee3a6d1f609132da95d5d7

SHA256
727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2

SHA512
a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
3fe7c92dba5c9240b4ab0d6a87e6166a

SHA1
7980d7dffc073515b621834246dda33ab00c308d

SHA256
a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

SHA512
bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiedian.exe

Filesize
2.9MB

MD5
1641766934172d4ef320103147ba77f3

SHA1
8562b7fb3cad46e555bcfacfc14ad2924971955e

SHA256
dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

SHA512
ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

Download Submit
memory/1876-17-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1876-135-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download