dragonforce | 005ed5de8a3e72a91f8a2e0d2a3088c41c681feb70dffbd9097e22c288b6b70c

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

465KB
MD5

e4a4fc96188310b7b07e7c0525b5c0aa
SHA1

81185dd73f2e042a947a1bf77f429de08778b6e9
SHA256

d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3
SHA512

72d27e3019954c3c98b8912842c42ee1fe5af5ca7b9717f7ee8bb61f16528c374f883f4b9697c1805ea59a5e854e4aa53aa6cfe06d87d87b181dd12def7d61d6
SSDEEP

12288:HZph8TCfS9dQ1GH4wKcmY8FYkEv+NTjUU1GaJyixE:HZpCTCfS9dQ104wdV8FImTjUYGViS

Score

10^/10

dragonforce credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\readme.txt

Family

dragonforce

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: 5259BC46FA7356359C5E94D817168178 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 12/07/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101

URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

DragonForce
Ransomware family based on Lockbit that was first observed in November 2023.
ransomware dragonforce
Dragonforce family
dragonforce
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	sample.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 22 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\readme.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\readme.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\readme.txt	sample.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\readme.txt	sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sk.pak.DATA	sample.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\readme.txt	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\readme.txt	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\readme.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms	sample.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\readme.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png	sample.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\EdgeUpdate.dat.LOG2	sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gl.pak	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\readme.txt	sample.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version	sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EdgeWebView.dat	sample.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\readme.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms	sample.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\readme.txt	sample.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\readme.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\nexturl.ort	sample.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\readme.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main-selector.css	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms	sample.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0cfb72077e94f34f6861fb54d736ad83d15b3ee965c91c6bcb0368221d552b07	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 87562d0ce5fa57b00f902f2b6ee6ab7a43e5e96a62e6298b6d213da18499091b	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 833068b0b25ff74a5a797fb441cc7cf23741fbf75ae9ec1c17639caef2e9f034	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = e7ecaf0c3326231bb3089c05eca2ebf73a73a9036d25f5622485f9b0c260fa9f	sample.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e0044004100540000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f005300680061007200650064005c004c006f00670073005c00530079007300740065006d005c004d006f00550073006f0043006f007200650057006f0072006b00650072002e00360030003000640038003000340061002d0061003800620066002d0034003600660061002d0062003200380061002d006500330035006300320038006400640038003600350037002e0031002e00650074006c0000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f005300680061007200650064005c004c006f00670073005c00530079007300740065006d005c00550070006400610074006500530065007300730069006f006e004f0072006300680065007300740072006100740069006f006e002e00630030003200660035006200620062002d0031006200660063002d0034003600650065002d0038006600660031002d006600640035006500370032003100390030003600640062002e0031002e00650074006c0000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f005300680061007200650064005c004c006f00670073005c00530079007300740065006d005c0057007500500072006f00760069006400650072002e00350064003100390032003500610033002d0062006100630031002d0034003200340031002d0062006300660063002d006100660039003500300036003500640038003300380064002e0031002e00650074006c0000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 5f5164a2179adde0888b04efb9274ce5b899d2c67fd3bb158720de66e9ab67c7	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d0044006100740061005c00550053004f0050007200690076006100740065005c00550070006400610074006500530074006f00720065005c00730074006f00720065002e006400620000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 59e9e5100b13a9eeabd07e384e92e3020ddb1cdf7c6eaf5aab577f2cbf20b2ee	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 646fdca3ca9733e52e608c442750614ec64f456a11b59c058404ec472ca33ca6	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 4792f02e96edcc9fd0094bef50a60318c57247dfdb12bccec58a6e52f807f5de	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 57299e2ab0aab30362c6606fcddea8b6dc02cb35be6de14e8258122159bb62e8	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 3f8123c7d89855a1770c349a261d97147254e3e63ea2efa79fd6f430eae5e661	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = d3aad9fdc484174cce0ec05c6f93c3dfeb5d38e55517023c22ed297a47a646a5	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 5ab0031b7ed45a6fc40a5fa949b80b12ccf91b31d71b225aea3253ac1956a444	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c004d006900630072006f0073006f00660074005c00470061006d0065004400560052005c004b006e006f0077006e00470061006d0065004c006900730074002e00620069006e0000000000	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a0d4a1d05efbeb05b5d965982f4ec7d37f7b0ce3090d15560973f5b84beea898	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = f44d66d54bd8698108355f4a4731fc8c7b579260f99306938a83f5339960d3c7	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 92f7515cfdaf868c21c2d88daf857bdd8e0952d0a30cdbe35cfe084cfe7a7471	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 59eb3019c64e3f6afff71561c0b05075a6a215ba429300f6c2149fd35184e77c	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00440075006d00700053007400610063006b002e006c006f0067002e0074006d00700000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ed5fbfb5e52b487a7848e8889e954fca7091c3c53f01f4baf28693546f4e60ce	sample.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	sample.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "2"	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d002e0062006c00660000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 68eb0e8ff9eecf2106c190235fb11c0443d11298d0996cdbd52f2cefd8c2764a	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a1ba6596afcea68e72e1e63e589fb21a583a86737a03406f2884ebd617c0c9bc	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = d3b9e7ec7f49271a796cfb714b8bace4acc9cd6eaa4c2a0952c6c3e99dfaa060	sample.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = f47dcc689d1f919ac12f78232d564b4cc076b323a9e3833d1b14568ce30bc52f	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ddd6604a4c109a337b027d9cd67588c77e3976ff90c1459313421f3fb9bbd658	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 1b45906c464c78c86ff64a941a4e5ed8d3314b69ee6c3b43fa254bd2b45a5faa	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 11eeed6fc35f3b55823f09ef1f476a86973e4b602079bfd1a38404cf45e5d750	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00350033006200330039006500380038002d0031003800630034002d0031003100650061002d0061003800310031002d003000300030006400330061006100340036003900320062007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c0043006f006e006e0065006300740065006400440065007600690063006500730050006c006100740066006f0072006d005c004c002e00410064006d0069006e005c004100630074006900760069007400690065007300430061006300680065002e006400620000000000	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 0c0c00006fb5c417a73fdb01	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ee465fdaa92c1f757a80dd84dc96ada38dbf69050fda5e5b6e077f2d1e619e64	sample.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c8845ee66fe7680d3a31d2d8edfd39754a71cbb18ba3803950a36750a7c114c2	sample.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
548	sample.exe
548	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe
3084	sample.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeCreateTokenPrivilege	4504	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 31	4504	WMIC.exe
Token: 32	4504	WMIC.exe
Token: SeCreateTokenPrivilege	4504	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4504	WMIC.exe
Token: SeSecurityPrivilege	4504	WMIC.exe
Token: SeTakeOwnershipPrivilege	4504	WMIC.exe
Token: SeLoadDriverPrivilege	4504	WMIC.exe
Token: SeSystemtimePrivilege	4504	WMIC.exe
Token: SeBackupPrivilege	4504	WMIC.exe
Token: SeRestorePrivilege	4504	WMIC.exe
Token: SeShutdownPrivilege	4504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4504	WMIC.exe
Token: SeUndockPrivilege	4504	WMIC.exe
Token: SeManageVolumePrivilege	4504	WMIC.exe
Token: 31	4504	WMIC.exe
Token: 32	4504	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 1704	3084	sample.exe	87
PID 3084 wrote to memory of 1704	3084	sample.exe	87
PID 1704 wrote to memory of 4504	1704	cmd.exe	89
PID 1704 wrote to memory of 4504	1704	cmd.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:548
- C:\Users\Admin\AppData\Local\Temp\sample.exe
  "C:\Users\Admin\AppData\Local\Temp\sample.exe"
  2⤵
  - Drops startup file
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8DB2BF15-85F5-4819-86C1-35E47A0FFE8E}'" delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8DB2BF15-85F5-4819-86C1-35E47A0FFE8E}'" delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\readme.txt

Filesize
1KB

MD5
8c9947654198f41a075297d048db80ec

SHA1
05107bdb6dea2a3171bd8ee054e0297a02639f80

SHA256
edbd965d595da039f67740b1e8f12f1d23ae5b00a2b09afe6ea6bf715576f31a

SHA512
e5d86e43bb1eb41a6b2e32160f7c9cd88e3764174af07ff7e68221cba80251295bdf28c4382c45b13b83f1d8735a93596361b7a42479c1b7239709a7b33b845c

Download Submit
C:\Users\Public\log.log

Filesize
4KB

MD5
941f1814fd89fefcbab4857ae55c89ce

SHA1
6b06841015687ec00af00da48e287147f602c9e7

SHA256
f0d563f0563df9b35ca794a3b7528f0cfc65dfb68a69cfc71180fa7025b7ded0

SHA512
e65c918a4b30bcac9ff8cb1c11c92fe6046e8cf7b50f60f3eb849ee0dadf4762f427f2e667c32ae3fe5bb39e290408d0026247d0286691dd227cf5848724b5b8

Download Submit