Analysis
-
max time kernel
134s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-11-2024 03:34
General
-
Target
d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3.exe
-
Size
465KB
-
MD5
e4a4fc96188310b7b07e7c0525b5c0aa
-
SHA1
81185dd73f2e042a947a1bf77f429de08778b6e9
-
SHA256
d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3
-
SHA512
72d27e3019954c3c98b8912842c42ee1fe5af5ca7b9717f7ee8bb61f16528c374f883f4b9697c1805ea59a5e854e4aa53aa6cfe06d87d87b181dd12def7d61d6
-
SSDEEP
12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NTjUU1GaJyixE:HZpCTCfS9dQ104wdV8FImTjUYGViS
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\readme.txt
Family
dragonforce
Ransom Note
Hello!
Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay.
--- Our communication process:
1. You contact us.
2. We send you a list of files that were stolen.
3. We decrypt 1 file to confirm that our decryptor works.
4. We agree on the amount, which must be paid using BTC.
5. We delete your files, we give you a decryptor.
6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
--- Client area (use this site to contact us):
Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
>>> Use this ID: 5259BC46FA73563549276E6D4F0068A3 to begin the recovery process.
* In order to access the site, you will need Tor Browser,
you can download it from this link: https://www.torproject.org/
--- Additional contacts:
Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
--- Recommendations:
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
--- Important:
If you refuse to pay or do not get in touch with us, we start publishing your files.
12/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog.
Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Signatures
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 26 IoCs
-
Drops file in Program Files directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3.exe"C:\Users\Admin\AppData\Local\Temp\d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3.exe"C:\Users\Admin\AppData\Local\Temp\d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C0A7565B-A19F-4402-9B8C-EE58F5677206}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EEC8685-DBBC-40B7-83F7-EBE9F961E50A}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3EF019B-3827-46D5-AAE6-7A5F9B72E352}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C46025E1-89AE-4E89-A6B2-627BD36BEBA7}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7FEB2B6D-C65D-4F8B-96F4-5C290BF1392E}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{38024B4B-EA00-4E0B-9254-7847544CB184}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{070F76DF-8D94-4D9C-8D5E-8288E6D99D33}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0DBC292F-1D3D-47BB-98CD-05C9763CDD70}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BFDEA41B-0C5B-4A69-8904-D0D8C8B4BD52}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{661ADE96-9D98-4439-A4A3-21497C149A84}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{49F9E8B9-5C23-4EFC-922F-403BF3CF1CD8}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B00B17C0-9080-4AFD-B9FE-5625D3C964B6}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B42A6924-C6F8-405C-A922-10D4551D692A}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4EE259E2-D2AC-45D1-9714-41C32E03FEA5}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06EF4E8E-D39F-475F-AFE4-9F81C5C17F7B}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B30B3BC9-99AA-45F9-A653-DBB54ECA8A3A}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD7099CD-3DAF-4D00-874E-B6365BD7580B}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AA251BFA-C949-4FDE-98A2-277792D6DA8E}'" delete4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f5e818547e1ad8df2b3305703cf022d
SHA1d70b12bda8562a10e0a6ea84c908b49e85b46229
SHA2564f81a2a46025f9e0972bce9df22155545a0ec21bb22e11f4d3f1b8b62e0d74f6
SHA512258707a2c7bb5af0fd11f8d9ab86b0fa746031d26ae6c9e96eee9e81e1c8b285f45fd77c9a457ed27411180740e310acf2770fe85891f8342b27db6f30a23e31
-
Filesize
4KB
MD569428eb801cde345f1a4dfed0507fb4c
SHA154d46e3caff1597b0e791b5b281a1338e85acb7b
SHA256b62310b75fbf9900b9568210fb6cf382d4d647c7678ee5db8bf889ed9d6f58c6
SHA512e25e36bae933dec06cc1509d790968500c471e9877aa60abdf854148f1206077b9297a43e9f1fb1d5a191989a9361ad35f3ab87858a94cea27e762590d9da355