Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/02/2025, 02:08

General

  • Target

    1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe

  • Size

    147KB

  • MD5

    d54bae930b038950c2947f5397c13f84

  • SHA1

    e164bbaf848fa5d46fa42f62402a1c55330ef562

  • SHA256

    1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b

  • SHA512

    81001ae98c5670aaf6c33d5f2ecae1ed20058fa5b1824f0c48fc12d93c5bf7c9cc1ac502e85c9244bdd13682539ff9f343907f2e965e04f910df8144f60fd63d

  • SSDEEP

    3072:e6glyuxE4GsUPnliByocWep6v6JMdoKkgwfHweVg2sp+:e6gDBGpvEByocWe+oKT+g2a+

Malware Config

Extracted

Path

C:\AoVOpni2N.README.txt

Family

dragonforce

Ransom Note
Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: A758919A7F3B351CCA3258E73175E282 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 02/05/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

  • DragonForce

    Ransomware family based on Lockbit that was first observed in November 2023.

  • Dragonforce family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
    "C:\Users\Admin\AppData\Local\Temp\1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1864
    • C:\ProgramData\1B64.tmp
      "C:\ProgramData\1B64.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1B64.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3524
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:848
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{1C38374E-83E2-43FF-9910-B3DB2EA46C96}.xps" 133843181489070000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:1392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-22591836-1183090055-1220658180-1000\desktop.ini

      Filesize

      129B

      MD5

      2f1e4c7b6e3e1f385565f65ea6106a2f

      SHA1

      aaf610af368ce335ee924317aae3ceba7a891891

      SHA256

      184b31910b717dac45bd086178615210a0cf1b697d0b7c7e0925494ef55d1610

      SHA512

      2338a733a8245f61ffe678be024e44afa66c3d44dd48cc01d3b47526d6a841a280cd360ed0270319c4bb01a579504d02fb714c240c2fddc80e453bc36c6313fb

    • C:\AoVOpni2N.README.txt

      Filesize

      1KB

      MD5

      a65820c15121acae3415d986f3599205

      SHA1

      8ca24f5352f539b06ef8c9cb868b658d50a6073f

      SHA256

      e99f5578c69897ed11922f1abd0935ee8292d178038b8896e918af56d1721df5

      SHA512

      47f7e1b56679c28bf196e0ec98cc477cfb893f343ef060038c73f7620b6918513b206a4c24ae8e57f144970b6b0b086833023a5e8b2ba6320aed472b6ab4cd74

    • C:\ProgramData\1B64.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

      Filesize

      147KB

      MD5

      eb8dfd93f65de3ed36418ef5f1864561

      SHA1

      79add71803b21dae4301a145cf5ec1ca78a0d5b2

      SHA256

      57e217e3131065f0d1c3858952c6582a537d9493b0e6b4465b8ee080f971af56

      SHA512

      54958008a997f13e0c36a6845c207014baa9fab387866978740a4546500d27abd7f7f19c697b9757ac1097dffd9079f4691039ba084ede99aec20cb3f3eee236

    • C:\Users\Admin\AppData\Local\Temp\{635CB9C4-CE9B-4FA3-A737-ECC91DDC82A5}

      Filesize

      4KB

      MD5

      d42eb771606193fbd86d0ccfc17cb6ec

      SHA1

      2d9a69f42dce3300bef8af20164e34f0a52d84bf

      SHA256

      59bf6dc33f67e0d866edb044f6a04cfd16e17d0b09b5165fa3c834abe4f4e571

      SHA512

      30b398e472ea71d5c13a8aef4d88866fb6e6b1dc889c4f6e325196109b1bbe6660064c826a3cf322c4a2fa20991b35e5b7ef4f7df74bac8a9dec55fe37c61905

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      af010dd301ff9d7cb8494988b37b1170

      SHA1

      d541a7789fb2f55cc28f86e1a70b32b437816e2e

      SHA256

      442f0614aade204285b30ac32755f98913f9b794ab666ffb2b2ac2b2b8a69996

      SHA512

      1b8c7d409efa535cb072c83748272ccf0c3e5a0d830995ea57242d0931402459c13f50a8f1fb711db399929c23fa9fa8dbebfae3100fa3197df4940f76ce5250

    • F:\$RECYCLE.BIN\S-1-5-21-22591836-1183090055-1220658180-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      49dd1011b4295ba95693d2625f3cd616

      SHA1

      b0a080548916bd505ec0507bbe8019e2bb5314c3

      SHA256

      f4386f08366e741859446bcb0a266d694cbccdcc0b0271226e5b55bddc06a695

      SHA512

      f539b058250640a2f1b1a95e3f55fa3daa3f9897bc75588da62d4d5c477cc87e66ea216eed73ea1cb5848ef96c89ec3e5293ffe62ceeaa78e074eeb057816d38

    • memory/1392-2886-0x00007FF9AB0A0000-0x00007FF9AB0B0000-memory.dmp

      Filesize

      64KB

    • memory/1392-2853-0x00007FF9AD2B0000-0x00007FF9AD2C0000-memory.dmp

      Filesize

      64KB

    • memory/1392-2855-0x00007FF9AD2B0000-0x00007FF9AD2C0000-memory.dmp

      Filesize

      64KB

    • memory/1392-2854-0x00007FF9AD2B0000-0x00007FF9AD2C0000-memory.dmp

      Filesize

      64KB

    • memory/1392-2856-0x00007FF9AD2B0000-0x00007FF9AD2C0000-memory.dmp

      Filesize

      64KB

    • memory/1392-2857-0x00007FF9AD2B0000-0x00007FF9AD2C0000-memory.dmp

      Filesize

      64KB

    • memory/1392-2887-0x00007FF9AB0A0000-0x00007FF9AB0B0000-memory.dmp

      Filesize

      64KB

    • memory/1784-2838-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

    • memory/1784-2-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

    • memory/1784-1-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

    • memory/1784-2837-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

    • memory/1784-2836-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB

    • memory/1784-0-0x0000000002C90000-0x0000000002CA0000-memory.dmp

      Filesize

      64KB