Analysis
-
max time kernel
150s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
20-11-2024 11:44
General
-
Target
312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe
-
Size
465KB
-
MD5
15634dc79981e7fba25fb8530cedb981
-
SHA1
a4bdd6cef0ed43a4d08f373edc8e146bb15ca0f9
-
SHA256
312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
-
SHA512
daa63d5a3a948f4416d61eb4bf086f8cc921f24187ffcdb406751cc8102114f826957a249830e28220a3c73e11388706152851106794529541e1e2020d695ece
-
SSDEEP
12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NT5XqU6KDBxE:HZpCTCfS9dQ104wdV8FImT5XqiS
Score
10/10
Malware Config
Extracted
Path
C:\Program Files (x86)\readme.txt
Family
dragonforce
Ransom Note
Hello!
Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay.
--- Our communication process:
1. You contact us.
2. We send you a list of files that were stolen.
3. We decrypt 1 file to confirm that our decryptor works.
4. We agree on the amount, which must be paid using BTC.
5. We delete your files, we give you a decryptor.
6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future.
--- Client area (use this site to contact us):
Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
>>> Use this ID: C2856ADC257746635A40AA0D65E6F8C1 to begin the recovery process.
* In order to access the site, you will need Tor Browser,
you can download it from this link: https://www.torproject.org/
--- Additional contacts:
Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
--- Recommendations:
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
--- Important:
If you refuse to pay or do not get in touch with us, we start publishing your files.
17/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog.
Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs
http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
Signatures
-
DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
-
Dragonforce family
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 33 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"C:\Users\Admin\AppData\Local\Temp\312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83.exe"2⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B5A656D-BA06-4513-8066-3AD760F9B88D}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5B5A656D-BA06-4513-8066-3AD760F9B88D}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3E91B04A-0BC4-4BAB-BF74-08777446362D}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3E91B04A-0BC4-4BAB-BF74-08777446362D}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93AF445E-A32C-44C7-B6FB-6EB9D9A04561}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93AF445E-A32C-44C7-B6FB-6EB9D9A04561}'" delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6B18B4-5504-413B-B044-3D25FDB26B92}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FB6B18B4-5504-413B-B044-3D25FDB26B92}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B049153-6C3C-480B-985E-F0302FE119B1}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B049153-6C3C-480B-985E-F0302FE119B1}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CCCF670A-4780-4309-9CB8-68E5925C94D8}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CCCF670A-4780-4309-9CB8-68E5925C94D8}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2859ADC8-8AD1-4A47-8A10-5C9DD9A7A71C}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2859ADC8-8AD1-4A47-8A10-5C9DD9A7A71C}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{54131EE6-EA75-497C-8A82-178E7D303DA2}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{54131EE6-EA75-497C-8A82-178E7D303DA2}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A27044CE-EB7C-454C-BD78-0DA46CB0BE29}'" delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A27044CE-EB7C-454C-BD78-0DA46CB0BE29}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{685CB5DA-1E05-4616-B339-B19D16F949F2}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{685CB5DA-1E05-4616-B339-B19D16F949F2}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0769A821-A8B7-4FCB-ACEF-104F57C85804}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0769A821-A8B7-4FCB-ACEF-104F57C85804}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{88325A2F-6183-4F93-B855-70A68EF370AC}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{88325A2F-6183-4F93-B855-70A68EF370AC}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1D8E5239-7DE7-48DD-967B-A449B767B0DA}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1D8E5239-7DE7-48DD-967B-A449B767B0DA}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7ABC9F53-6682-4E8F-A665-9671155D0649}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7ABC9F53-6682-4E8F-A665-9671155D0649}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F70E118E-26D8-47DF-BF1F-6685C95E0B89}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F70E118E-26D8-47DF-BF1F-6685C95E0B89}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8148903-0D44-4A5C-A9BD-07231CB6826D}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C8148903-0D44-4A5C-A9BD-07231CB6826D}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F7B1F25A-FA5B-4417-B916-1283F4EFACEB}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F7B1F25A-FA5B-4417-B916-1283F4EFACEB}'" delete4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{60AA7F46-8021-4462-86AF-35F37EB41ECA}'" delete3⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{60AA7F46-8021-4462-86AF-35F37EB41ECA}'" delete4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious behavior: LoadsDriver
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5996f7a1391d207fbbd63c8d5f30e790d
SHA12a00f69d2b1338a59849a457203bf45460f62515
SHA256d1dbedf54d867a5481661bd43307d82d3bc8265e6841858aeb565b23a4b32c1c
SHA512556ff4ed84f400a603b785c96d43217f79575a3997e91869ae92742cd27db997a44af83eb61d4eec067ced7d3190cdaa16ec96b45aa6e39f30a3e00a140288b7
-
Filesize
4KB
MD520b6d544d3cfb05765dc31a36f590041
SHA1de525feef8d0998a6a66dab2bd308789bd50b8f5
SHA256333a36de27cecdb9572e6d3936bafc0401856166654b26d02d7f03ce2397a94f
SHA512f9c870ab4559e0d339d83be0c5829e0981cd252e851dcc9ccad983da3a9fca1ccfb22e1284749c1e9350e4174c31a1e87d9ce2652b1f3fa70d3fdaeec3583cec