Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 13:41
Behavioral task
behavioral1
Sample
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
Resource
win10v2004-20241007-en
General
-
Target
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe
-
Size
147KB
-
MD5
40126b1b3c6f86194fc554cdba3cb5d3
-
SHA1
a05551c8536eb6489651a9481911d107fd1c34ef
-
SHA256
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409
-
SHA512
045711fc010aba7ae338351fe825575bda270636c5c983484faae980655b50dc0196a74964f115fb73235bbae1e6013351e5dc573865e848669fdb43272a4278
-
SSDEEP
3072:a6glyuxE4GsUPnliByocWepvOdS3A/bB1Ba3:a6gDBGpvEByocWeGSQzN
Malware Config
Extracted
C:\uBBbnTEl1.README.txt
dragonforce
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Signatures
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Deletes itself 1 IoCs
pid Process 2052 BB4.tmp -
Executes dropped EXE 1 IoCs
pid Process 2052 BB4.tmp -
Loads dropped DLL 1 IoCs
pid Process 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2052 BB4.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BB4.tmp -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp 2052 BB4.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeDebugPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: 36 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeImpersonatePrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeIncBasePriorityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeIncreaseQuotaPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: 33 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeManageVolumePrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeProfSingleProcessPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeRestorePrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSystemProfilePrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeTakeOwnershipPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeShutdownPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeDebugPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeBackupPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe Token: SeSecurityPrivilege 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2052 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 33 PID 2332 wrote to memory of 2052 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 33 PID 2332 wrote to memory of 2052 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 33 PID 2332 wrote to memory of 2052 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 33 PID 2332 wrote to memory of 2052 2332 5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe 33 PID 2052 wrote to memory of 1264 2052 BB4.tmp 34 PID 2052 wrote to memory of 1264 2052 BB4.tmp 34 PID 2052 wrote to memory of 1264 2052 BB4.tmp 34 PID 2052 wrote to memory of 1264 2052 BB4.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"C:\Users\Admin\AppData\Local\Temp\5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\ProgramData\BB4.tmp"C:\ProgramData\BB4.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BB4.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:1264
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f0c50a987b46dc99d90b58519064d401
SHA15817315b369bc62598848df3ba278e99e15bf055
SHA25623fad72f0f971358c7aa8ae08eb24bf02404cb11a73b99785e1b3c2039209db9
SHA512bd28c2e18125635bdb00442e88ca3ff84d00e5f042cadaee649e1a2c9ac02d7f90d16ad08d0f11015c01bba4dcd6919008ea2c56ebeed9b58b4ca98179163878
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize147KB
MD52c2acddef15d1bd1835c5bc225e0f5a2
SHA1a68751ba78e654aaa4ce27155c305fb154c7a03e
SHA2563d2b77b6a137836af4cdb758f5766b87d1a3405a1dc70e37aec4bbe4de5725f3
SHA5122ad8b5a6a1c37554fb2a76aab1b2b1cde587fccab49350dba237124cde12df38e832f5d8fa07d46efd06acf7b0b73dbcd43aa6b31de6d1e42bc632b3acde1736
-
Filesize
1KB
MD5c3ac4e1ff9fff4b5b5146c7903922510
SHA1ed24f5a58218e2e6072638f100afc050432fc2fc
SHA2569d3f50798e4392f45079afa75fec9c957770fe3cbb6079eb1c42a6992e8efd29
SHA5124173917dffcb176db41fbefe73a25b2886fc6881f8b3b4c007a3e0e956b4672e251f00b8128fd429e0d67449ed954a007dd7948c93ff53fc822979fe39bf6ea8
-
Filesize
129B
MD5226a779011f6cf45471956f9b4d53e8b
SHA1f500727bee21261fa39ea0cebff9426f27865d11
SHA256da581a41323e050d6a37102c1160cec68f29f27748a919d75d434fd40ca450f2
SHA5125043f4c2c69d6972c703e79ba82e47610121074823f6a605c3414d193c3bdb791b3c89d1f933ffb1d7ee36913f9df349215d252414d1eda3ec2eaec42536920f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf