Analysis
-
max time kernel
150s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-11-2024 02:27
General
-
Target
312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
-
Size
465KB
-
MD5
15634dc79981e7fba25fb8530cedb981
-
SHA1
a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
-
SHA256
312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
-
SHA512
daa63d5a3a948f4416d61eb4bf086f8cc921f24187ffcdb406751cc8102114f826957a249830e28220a3c73e11388706152851106794529541e1e2020d695ece
-
SSDEEP
12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCfS9dQ104wdV8FImT5XqiS
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\readme.txt
Family
dragonforce
Ransom Note
Hello!
Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay.
--- Our communication process:
1. You contact us.
2. We send you a list of files that were stolen.
3. We decrypt 1 file to confirm that our decryptor works.
4. We agree on the amount, which must be paid using BTC.
5. We delete your files, we give you a decryptor.
6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
--- Client area (use this site to contact us):
Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
>>> Use this ID: C2856ADC2577466391B96FBE317D3E77 to begin the recovery process.
* In order to access the site, you will need Tor Browser,
you can download it from this link: https://www.torproject.org/
--- Additional contacts:
Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
--- Recommendations:
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
--- Important:
If you refuse to pay or do not get in touch with us, we start publishing your files.
17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog.
Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Signatures
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 32 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"2⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BD6FB29-189E-4F99-9F99-651A72FEBF02}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BD6FB29-189E-4F99-9F99-651A72FEBF02}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D818798-4B47-458C-8916-CBECAE43B4FB}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2D818798-4B47-458C-8916-CBECAE43B4FB}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB337A5-A97C-4E3B-A953-6F743F6A68A9}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1BB337A5-A97C-4E3B-A953-6F743F6A68A9}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6477892D-EC9E-4CBF-B454-FA61DC46F5FA}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6477892D-EC9E-4CBF-B454-FA61DC46F5FA}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56351986-B650-4647-8784-B3B760645DA4}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{56351986-B650-4647-8784-B3B760645DA4}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2265C065-B6B0-4775-9799-36B9FEE32622}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2265C065-B6B0-4775-9799-36B9FEE32622}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FABF953-9C39-45E5-BBE9-8EA6C9C47AFC}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1FABF953-9C39-45E5-BBE9-8EA6C9C47AFC}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8B936CD8-A865-4FAC-8D84-CBCB07B701E1}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8B936CD8-A865-4FAC-8D84-CBCB07B701E1}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6309368E-BFB6-486E-98FD-95DB63CF8CCD}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6309368E-BFB6-486E-98FD-95DB63CF8CCD}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C86CD55D-C4A7-41EE-9996-50648480DCD1}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C86CD55D-C4A7-41EE-9996-50648480DCD1}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1EC04A3-70A5-446C-82A7-F72478B1F67F}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1EC04A3-70A5-446C-82A7-F72478B1F67F}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0EA2D8B-0324-4D6B-B67E-47501DE36B0D}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D0EA2D8B-0324-4D6B-B67E-47501DE36B0D}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF511B92-0D8F-4A7D-8D02-DBF4F564E117}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF511B92-0D8F-4A7D-8D02-DBF4F564E117}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49B72978-0008-434A-B917-90D3B1C2A77E}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49B72978-0008-434A-B917-90D3B1C2A77E}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9990C9-A884-4636-9E67-9D57557C520F}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9990C9-A884-4636-9E67-9D57557C520F}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BDBC865F-CD95-469C-87CB-A93B7E42F6FC}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BDBC865F-CD95-469C-87CB-A93B7E42F6FC}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2239B57-C45C-479E-80DD-8AD930A4200B}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2239B57-C45C-479E-80DD-8AD930A4200B}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2ECE20AD-81EF-4472-98D5-76CDE183AA48}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2ECE20AD-81EF-4472-98D5-76CDE183AA48}'" delete4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious behavior: LoadsDriver
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b468e28730bb09829890899d12428339
SHA15a890359c6f852383cd8ac3c382fb902928a8353
SHA2563b7d988863c769debecfd3b31d46a4e624b25ce56e9c8b7d84d9b60dcf27841d
SHA51297561ae3de77cce57fb93a6d3cecc6abd4f2926df71d582c2754a558cc7161bc9cd983463bd85e44abc21dbe09fb8f4e981c3f3510f0137d5bbba2f1f7d3407e
-
Filesize
4KB
MD529884ebcfe4252341166a5b557fa3d82
SHA1f1938a6011926957e9a8e1123d1c34a30ebf628f
SHA256f60b6a9921d4c9e656f3413c3bf27d74310dc3408b8293ce7e8c874665c9d619
SHA5122b299b5d3bc6ea00eafb471c5629c4a11cd985f6b808e2d3db703259b6e1e6b4266216bb35bc13dc72f83aa2e689381521db827210f640e2cd54c9447b9da681