dragonforce | 005ed5de8a3e72a91f8a2e0d2a3088c41c681feb70dffbd9097e22c288b6b70c

Analysis

max time kernel
116s
max time network
58s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

465KB
MD5

e4a4fc96188310b7b07e7c0525b5c0aa
SHA1

81185dd73f2e042a947a1bf77f429de08778b6e9
SHA256

d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3
SHA512

72d27e3019954c3c98b8912842c42ee1fe5af5ca7b9717f7ee8bb61f16528c374f883f4b9697c1805ea59a5e854e4aa53aa6cfe06d87d87b181dd12def7d61d6
SSDEEP

12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NTjUU1GaJyixE:HZpCTCfS9dQ104wdV8FImTjUYGViS

Score

10^/10

dragonforce discovery ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: 5259BC46FA735635BE0CAE305AFA26A9 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 12/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce

Drops desktop.ini file(s) 22 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadomd28.tlb	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157177.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199469.WMF	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282126.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	sample.exe
File created	C:\Program Files (x86)\Common Files\readme.txt	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf	sample.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00453_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF	sample.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	sample.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152876.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	sample.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00407_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	sample.exe
File created	C:\Program Files\Mozilla Firefox\browser\readme.txt	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02371_.WMF	sample.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00231_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102594.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP	sample.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198022.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00231_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF	sample.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 78ab9d93ae8dc64e8b8188d8b54faf7d3c6925479bfcb5e6535a160780f9b002	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 17087f8d25789e4139cf011c21ed1de6f980b99d5b5614746594e2b9f8fccd4f	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0a92d2f97ac1af1999afde20e9bb0570f936fb351f404af4ede711050b7d849a	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	sample.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	sample.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 47b44d4456af22ca400d09c0b8c80fff3c48cea132a87d13e5d75aa197fce6aa	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 340a000000b8041ba73fdb01	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e0044004100540000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 6ba6836b723fc3b1c5a41264385572e4a191deb970e22ce03125926a1e5c554d	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ec7ff74f601ddf5d97bc64e2c81ab44bb12154ed7b6368c90e844db3dbe7633e	sample.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "2"	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = cd05ac265b3a8961bd3f0702bfc4137611e44c36bec51830e8d145fbc9d30bd7	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6a55ffda56a683bb79e86ba6778baff138516cd603ac051c99a4a6b24c838de2	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 84a324739b46f05de6b7cd17344cacb6063c1d9b8ff3fed940e4241cb1b57ac5	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 1ddef12aa751a9ec715be95fbef8e5382cae46d60adb00ce53e33c0a749a991c	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = f4e605f12ad272d4322f1f4d1f5f41e710fcc68c49b9af517ff9073317fa2479	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c004d006900630072006f0073006f00660074005c004f006600660069006300650053006f00660074007700610072006500500072006f00740065006300740069006f006e0050006c006100740066006f0072006d005c0074006f006b0065006e0073002e0064006100740000000000	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a4ea26decae5d27a3dccdb75b05055b3ca36e0d56ece531f082a72e79829d16e	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = bf7483579f7ef117047e71d91c8fed0031a7ce722897ca34c8917b17a759cef2	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = fd99f8a94fa70794adda9c5f2a95a2b111ee4c5add5a7717aa406fe8ec17135b	sample.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe
2612	sample.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeCreateTokenPrivilege	2828	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2828	WMIC.exe
Token: SeSecurityPrivilege	2828	WMIC.exe
Token: SeTakeOwnershipPrivilege	2828	WMIC.exe
Token: SeLoadDriverPrivilege	2828	WMIC.exe
Token: SeSystemtimePrivilege	2828	WMIC.exe
Token: SeBackupPrivilege	2828	WMIC.exe
Token: SeRestorePrivilege	2828	WMIC.exe
Token: SeShutdownPrivilege	2828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2828	WMIC.exe
Token: SeUndockPrivilege	2828	WMIC.exe
Token: SeManageVolumePrivilege	2828	WMIC.exe
Token: 31	2828	WMIC.exe
Token: 32	2828	WMIC.exe
Token: SeCreateTokenPrivilege	2828	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2828	WMIC.exe
Token: SeSecurityPrivilege	2828	WMIC.exe
Token: SeTakeOwnershipPrivilege	2828	WMIC.exe
Token: SeLoadDriverPrivilege	2828	WMIC.exe
Token: SeSystemtimePrivilege	2828	WMIC.exe
Token: SeBackupPrivilege	2828	WMIC.exe
Token: SeRestorePrivilege	2828	WMIC.exe
Token: SeShutdownPrivilege	2828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2828	WMIC.exe
Token: SeUndockPrivilege	2828	WMIC.exe
Token: SeManageVolumePrivilege	2828	WMIC.exe
Token: 31	2828	WMIC.exe
Token: 32	2828	WMIC.exe
Token: SeCreateTokenPrivilege	2836	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 31	2836	WMIC.exe
Token: 32	2836	WMIC.exe
Token: SeCreateTokenPrivilege	2836	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 31	2836	WMIC.exe
Token: 32	2836	WMIC.exe
Token: SeCreateTokenPrivilege	2700	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2528	2612	sample.exe	33
PID 2612 wrote to memory of 2528	2612	sample.exe	33
PID 2612 wrote to memory of 2528	2612	sample.exe	33
PID 2612 wrote to memory of 2528	2612	sample.exe	33
PID 2528 wrote to memory of 2828	2528	cmd.exe	35
PID 2528 wrote to memory of 2828	2528	cmd.exe	35
PID 2528 wrote to memory of 2828	2528	cmd.exe	35
PID 2612 wrote to memory of 2692	2612	sample.exe	36
PID 2612 wrote to memory of 2692	2612	sample.exe	36
PID 2612 wrote to memory of 2692	2612	sample.exe	36
PID 2612 wrote to memory of 2692	2612	sample.exe	36
PID 2692 wrote to memory of 2836	2692	cmd.exe	38
PID 2692 wrote to memory of 2836	2692	cmd.exe	38
PID 2692 wrote to memory of 2836	2692	cmd.exe	38
PID 2612 wrote to memory of 2672	2612	sample.exe	39
PID 2612 wrote to memory of 2672	2612	sample.exe	39
PID 2612 wrote to memory of 2672	2612	sample.exe	39
PID 2612 wrote to memory of 2672	2612	sample.exe	39
PID 2672 wrote to memory of 2700	2672	cmd.exe	41
PID 2672 wrote to memory of 2700	2672	cmd.exe	41
PID 2672 wrote to memory of 2700	2672	cmd.exe	41
PID 2612 wrote to memory of 436	2612	sample.exe	42
PID 2612 wrote to memory of 436	2612	sample.exe	42
PID 2612 wrote to memory of 436	2612	sample.exe	42
PID 2612 wrote to memory of 436	2612	sample.exe	42
PID 436 wrote to memory of 772	436	cmd.exe	44
PID 436 wrote to memory of 772	436	cmd.exe	44
PID 436 wrote to memory of 772	436	cmd.exe	44
PID 2612 wrote to memory of 2588	2612	sample.exe	45
PID 2612 wrote to memory of 2588	2612	sample.exe	45
PID 2612 wrote to memory of 2588	2612	sample.exe	45
PID 2612 wrote to memory of 2588	2612	sample.exe	45
PID 2588 wrote to memory of 1736	2588	cmd.exe	47
PID 2588 wrote to memory of 1736	2588	cmd.exe	47
PID 2588 wrote to memory of 1736	2588	cmd.exe	47
PID 2612 wrote to memory of 2092	2612	sample.exe	48
PID 2612 wrote to memory of 2092	2612	sample.exe	48
PID 2612 wrote to memory of 2092	2612	sample.exe	48
PID 2612 wrote to memory of 2092	2612	sample.exe	48
PID 2092 wrote to memory of 2308	2092	cmd.exe	50
PID 2092 wrote to memory of 2308	2092	cmd.exe	50
PID 2092 wrote to memory of 2308	2092	cmd.exe	50
PID 2612 wrote to memory of 2728	2612	sample.exe	51
PID 2612 wrote to memory of 2728	2612	sample.exe	51
PID 2612 wrote to memory of 2728	2612	sample.exe	51
PID 2612 wrote to memory of 2728	2612	sample.exe	51
PID 2728 wrote to memory of 2984	2728	cmd.exe	53
PID 2728 wrote to memory of 2984	2728	cmd.exe	53
PID 2728 wrote to memory of 2984	2728	cmd.exe	53
PID 2612 wrote to memory of 540	2612	sample.exe	54
PID 2612 wrote to memory of 540	2612	sample.exe	54
PID 2612 wrote to memory of 540	2612	sample.exe	54
PID 2612 wrote to memory of 540	2612	sample.exe	54
PID 540 wrote to memory of 700	540	cmd.exe	56
PID 540 wrote to memory of 700	540	cmd.exe	56
PID 540 wrote to memory of 700	540	cmd.exe	56
PID 2612 wrote to memory of 3012	2612	sample.exe	57
PID 2612 wrote to memory of 3012	2612	sample.exe	57
PID 2612 wrote to memory of 3012	2612	sample.exe	57
PID 2612 wrote to memory of 3012	2612	sample.exe	57
PID 3012 wrote to memory of 776	3012	cmd.exe	59
PID 3012 wrote to memory of 776	3012	cmd.exe	59
PID 3012 wrote to memory of 776	3012	cmd.exe	59
PID 2612 wrote to memory of 1656	2612	sample.exe	60

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304
- C:\Users\Admin\AppData\Local\Temp\sample.exe
  "C:\Users\Admin\AppData\Local\Temp\sample.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{096796F1-2149-464D-ACBB-03B5C167CC17}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2828
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F892CD27-E23E-4515-87B3-8F8F21B9D9C9}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{32A7D592-2541-4316-9CBA-F77BBB019FC7}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2700
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4322938B-E7D8-427C-9899-D8612A7A139D}'" delete
      4⤵
      PID:772
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40688390-1826-4849-9E8B-083873315E70}'" delete
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D6A7C606-A48C-4CE7-8835-04E81D7912DF}'" delete
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B7D60577-15EA-4C7B-BE0B-C497017039D0}'" delete
      4⤵
      PID:2984
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BB1A373F-4301-4C27-8A7E-482A72564628}'" delete
      4⤵
      PID:700
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1E5A9288-DEC5-4D8F-9600-23F03936D215}'" delete
      4⤵
      PID:776
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
    3⤵
    PID:1656
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{823E0A24-E393-468F-B11F-85124724B858}'" delete
      4⤵
      PID:1972
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
    3⤵
    PID:1708
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0A4CD207-FB7C-469F-9F7A-80D1BD4DFCFA}'" delete
      4⤵
      PID:2456
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
    3⤵
    PID:2552
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F64151A7-2488-4B24-9A4D-D03E41D3CAC7}'" delete
      4⤵
      PID:3060
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
    3⤵
    PID:2404
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A40927C3-0F96-44E1-B89A-47B10F36A0E6}'" delete
      4⤵
      PID:588
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
    3⤵
    PID:1684
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1C5B9C0E-6DDC-430F-9959-B1C7BC19DF79}'" delete
      4⤵
      PID:2320
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
    3⤵
    PID:1068
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E322147-06DC-47C3-8F71-A37CFEE921A2}'" delete
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
    3⤵
    PID:2224
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A273B3E7-11AE-4B3C-8748-31324B458734}'" delete
      4⤵
      PID:2228
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
    3⤵
    PID:2088
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{41A049F0-5D90-4970-A62C-95EBA2C69DB2}'" delete
      4⤵
      PID:1816
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
    3⤵
    PID:972
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E1A70E3-B89F-4CF4-95D7-7FBA75E2544E}'" delete
      4⤵
      PID:2040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt

Filesize
1KB

MD5
07964a08001a1d59a205dbc09cd97171

SHA1
e73cd797c20e9e94be25b085b14ce7b402d122e6

SHA256
4ea54e8a549465288034eb0eb8697970bcf35b6c0870135b9ad4231996347fbe

SHA512
22bf0b46f108dea20beeb7dfe1384ab605203918e389baca2c5c12ca6da14b3839636b3f5bf5c542098de280f400c6eb6399e6a83449e3eb1e6f7ced161bf58e

Download Submit
C:\Users\Public\log.log

Filesize
5KB

MD5
ea31310beefe2d37b69cb05269b02145

SHA1
8b542ae12424aec0c35cf99292bd2f26269e1758

SHA256
3c07cec0bfb26634dcbfb7c194a73ab2f5c0af8827f51fbcc3ed93e7b8a7acc7

SHA512
637f6fb87bd3b8d09a9d1d4f08385433f979f5c54664b7e99f72be85dd1750e86997cc1232e81fc6c8ff95347b467f2d2e4a799a15c60d9aa4837ae780822e36

Download Submit