Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 07:38
Static task
static1
Behavioral task
behavioral1
Sample
bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
Resource
win10v2004-20241007-en
General
-
Target
bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
-
Size
3.0MB
-
MD5
1a8a99c90906c349060944e027fd1550
-
SHA1
7edb6c08d439c0e581d7a387a2095300061c293a
-
SHA256
bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b
-
SHA512
846dc680a3d1c7487c3bc69ad07256377e2105b5de876997e0a59b64131324dcbc94a605c99a8bb89434e74c95dedff78bea7be116d41da1eb620bb1a7220497
-
SSDEEP
49152:9gCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/lc:+CPSpED/ppLh3ScE4X0ypED/pg
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation jiedian.exe -
Executes dropped EXE 4 IoCs
pid Process 3564 jiedian.exe 1876 irsetup.exe 4116 lasse.exe 2660 DragonBox.exe -
Loads dropped DLL 1 IoCs
pid Process 2660 DragonBox.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DragonBox = "C:\\Program Files (x86)\\DragonBox\\DragonBox.exe -autorun" irsetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DragonBox.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\doload.text lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\tmpfomr.exe lasse.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\tmpfomr.exe lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\tmpfomr.exe lasse.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\inst.ini lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\selfUpdate.exe lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\walcome.exe lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\update.exe lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates\spsrv.exe lasse.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\walcome.exe lasse.exe -
resource yara_rule behavioral2/files/0x0007000000023c7f-10.dat upx behavioral2/memory/1876-17-0x0000000000400000-0x0000000000581000-memory.dmp upx behavioral2/memory/1876-135-0x0000000000400000-0x0000000000581000-memory.dmp upx -
Drops file in Program Files directory 44 IoCs
description ioc Process File created C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll irsetup.exe File created C:\Program Files (x86)\DragonBox\Update.exe irsetup.exe File created C:\Program Files (x86)\DragonBox\version.ini irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\DragonBox.exe irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\html\images\Thumbs.db irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\html\right.html irsetup.exe File created C:\Program Files (x86)\DragonBox\unrar.dll irsetup.exe File created C:\Program Files (x86)\DragonBox\DragonBox.exe irsetup.exe File created C:\Program Files (x86)\DragonBox\skins\PixOS.ssk DragonBox.exe File created C:\Program Files (x86)\DragonBox\html\klist.html irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\setting.ini irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\Uninstall\uniB3CF.tmp irsetup.exe File created C:\Program Files (x86)\DragonBox\html\images\Thumbs.db irsetup.exe File created C:\Program Files (x86)\DragonBox\html\404.html irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\html\klist.html irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\svcupdate.exe irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml irsetup.exe File created C:\Program Files (x86)\DragonBox\html\right.html irsetup.exe File created C:\Program Files (x86)\DragonBox\setting.ini irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\gametypebak.json irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll irsetup.exe File created C:\Program Files (x86)\DragonBox\svcupdate.exe irsetup.exe File created C:\Program Files (x86)\DragonBox\Uninstall\uninstall.dat irsetup.exe File created C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml irsetup.exe File created C:\Program Files (x86)\DragonBox\html\images\logo.gif irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\html\404.html irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\Update.exe irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\resdata.db DragonBox.exe File created C:\Program Files (x86)\DragonBox\gametypebak.json irsetup.exe File created C:\Program Files (x86)\DragonBox\WebGame.exe irsetup.exe File created C:\Program Files (x86)\DragonBox\resdata.db-journal DragonBox.exe File created C:\Program Files (x86)\DragonBox\uninstall.exe irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\html\images\logo.gif irsetup.exe File created C:\Program Files (x86)\DragonBox\html\images\rightlogo.gif irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\unrar.dll irsetup.exe File created C:\Program Files (x86)\DragonBox\Uninstall\IRIMG2.JPG irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\setting.ini DragonBox.exe File created C:\Program Files (x86)\DragonBox\Uninstall\uniB3CF.tmp irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\WebGame.exe irsetup.exe File opened for modification C:\Program Files (x86)\DragonBox\version.ini irsetup.exe File created C:\Program Files (x86)\DragonBox\Uninstall\IRIMG1.JPG irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jiedian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lasse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DragonBox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\IESettingSync DragonBox.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" DragonBox.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch DragonBox.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" DragonBox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4116 lasse.exe 4116 lasse.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2660 DragonBox.exe 2660 DragonBox.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2660 DragonBox.exe 2660 DragonBox.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3820 bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe 1876 irsetup.exe 1876 irsetup.exe 1876 irsetup.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe 2660 DragonBox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3820 wrote to memory of 3564 3820 bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe 85 PID 3820 wrote to memory of 3564 3820 bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe 85 PID 3820 wrote to memory of 3564 3820 bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe 85 PID 3564 wrote to memory of 1876 3564 jiedian.exe 87 PID 3564 wrote to memory of 1876 3564 jiedian.exe 87 PID 3564 wrote to memory of 1876 3564 jiedian.exe 87 PID 1876 wrote to memory of 2660 1876 irsetup.exe 90 PID 1876 wrote to memory of 2660 1876 irsetup.exe 90 PID 1876 wrote to memory of 2660 1876 irsetup.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe"C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\jiedian.exe"C:\Users\Admin\AppData\Local\Temp\jiedian.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-4050598569-1597076380-177084960-1000"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files (x86)\DragonBox\DragonBox.exe"C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
-
-
C:\ProgramData\Megic\lasse.exeC:\ProgramData\Megic\lasse.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5cbb2db2566dde5e2b9c6a636471ffa23
SHA138704738c646a9afa729cefd31ca0c8f28a9f54c
SHA2564358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e
SHA512572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64
-
Filesize
1.3MB
MD573edb6d203e0230b2ab4e4da57dd6bee
SHA14a71903b57abd639425394340d1a6067da760f0a
SHA256a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544
SHA5122b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5
-
Filesize
4KB
MD5974b742d2559b60a336498ebf762b628
SHA13bf564d3e55e5fd5665a87d16ff920b3ef977105
SHA2561d6edc23d178fb381a93594a75588133dcce37bc742a08ae9df86e34d60f169f
SHA51264b93384e1ac7433f1452c79d4c2687cf367824e7f44933a042821d5214f5de7d7561ff8c7ccf13b2533454f62206e2c095ceec0e6bb2bb789f430f1e0c982a3
-
Filesize
4KB
MD593bb2f7b51110cbccf20f37888d4a73f
SHA1bc4da28a09f2e3b203e4ee1000a15028a0b2250a
SHA2565c489fa8fd7dce7ec21141b33b177951a05cb56afff5a439e599f91120f87d4a
SHA5124fdc350d9f9084ed367012555e9dec27245bbadda81673008715fa9b1a92b8cd4d3572e805f04ffc4831df402c9e62b066961965cf8c484da0a6087e43f2db1f
-
Filesize
21KB
MD5242aec89243b0957523287ae5d18b9b8
SHA19d54d2b8bf3d52d927fd89b172621d496b5f83e6
SHA256e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249
SHA512a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68
-
Filesize
77B
MD5042bc14b5ec4a59244ac348812dc2e8a
SHA17adb7489f0971dfedf5fd7928bde722245c1f3f9
SHA25620519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648
SHA5124bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099
-
Filesize
77B
MD50c8197485fc42ac984d0984cb90e641c
SHA1e3c7f68aa23561c89b2156e1e5efd07f04e0cd22
SHA2563d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d
SHA51215fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5
-
Filesize
53B
MD51b38736d6e54c9b3b78807bbca68f348
SHA10cc44962449b1f54e1d2f606584ce513dc088cf6
SHA256013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774
SHA51232830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b
-
Filesize
248KB
MD5ecf79310b8a51b2a472689619d42a42c
SHA136e328fccda8f2f3d926e472d968072a9c732c0f
SHA2566acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396
SHA512321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321
-
Filesize
11KB
MD5d1b051718019662c277bab1e4103c9ad
SHA1ede02518fbeaf10d23ee3a6d1f609132da95d5d7
SHA256727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2
SHA512a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8
-
Filesize
566KB
MD53fe7c92dba5c9240b4ab0d6a87e6166a
SHA17980d7dffc073515b621834246dda33ab00c308d
SHA256a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258
SHA512bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d
-
Filesize
2.9MB
MD51641766934172d4ef320103147ba77f3
SHA18562b7fb3cad46e555bcfacfc14ad2924971955e
SHA256dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c
SHA512ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd