Overview

overview

10

Static

static

10

1250ba6f25...4b.exe

windows10-2004-x64

10

Resubmissions

06/04/2025, 17:05

250406-vmarsstybt 10

04/04/2025, 13:35

250404-qvrcasznx3 10

04/04/2025, 01:29

250404-bwktkszmw4 10

Analysis

  • max time kernel
    140s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe

  • Size

    147KB

  • MD5

    d54bae930b038950c2947f5397c13f84

  • SHA1

    e164bbaf848fa5d46fa42f62402a1c55330ef562

  • SHA256

    1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b

  • SHA512

    81001ae98c5670aaf6c33d5f2ecae1ed20058fa5b1824f0c48fc12d93c5bf7c9cc1ac502e85c9244bdd13682539ff9f343907f2e965e04f910df8144f60fd63d

  • SSDEEP

    3072:e6glyuxE4GsUPnliByocWep6v6JMdoKkgwfHweVg2sp+:e6gDBGpvEByocWe+oKT+g2a+

Score
10/10
dragonforcedefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\AoVOpni2N.README.txt

Family

dragonforce

Ransom Note
Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 2. We send you a list of files that were stolen. 3. We decrypt 1 file to confirm that our decryptor works. 4. We agree on the amount, which must be paid using BTC. 5. We delete your files, we give you a decryptor. 6. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion >>> Use this ID: A758919A7F3B351C223CF935CE8692E7 to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Additional contacts: Support Tox: 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20 --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. 02/05/2024 00:00 UTC the decryptor will be destroyed and the files will be published on our blog. Blog: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion Sincerely, 01000100 01110010 01100001 01100111 01101111 01101110 01000110 01101111 01110010 01100011 01100101
URLs

http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion

http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion

Signatures

  • DragonForce

    Ransomware family based on Lockbit that was first observed in November 2023.

    ransomwaredragonforce
  • Dragonforce family
    dragonforce
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe
    "C:\Users\Admin\AppData\Local\Temp\1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:5368
    • C:\ProgramData\8F6C.tmp
      "C:\ProgramData\8F6C.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8F6C.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3028
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1456
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9DD4B3B7-8754-4AFF-805D-8C9191AFD8FB}.xps" 133882473458900000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1279544337-3716153908-718418795-1000\MMMMMMMMMMM
      Filesize

      129B

      MD5

      589cc2b921a240a8740f7016164cfb13

      SHA1

      cf900a9605fa84fdbe17330ab69999f6a7f75492

      SHA256

      bc992552d831879b6a6efcc9fdfc226d41fb32f9814c0bd0f3d5a2a432f1fc69

      SHA512

      f4c2b8eff92fb736840af338a2469ab111625e147e106dd8441cdc2eed95ab0d0cdb52c895fc765b20c1f35f36788f12751e63626a394e49ccd4d2368c07292c

      Download Submit

    • C:\AoVOpni2N.README.txt
      Filesize

      1KB

      MD5

      5cfca0a179a9a8ad3273f7c2f786aa58

      SHA1

      04b71a57143766178066964ad3965c67942bef71

      SHA256

      7b5ccb6a6f527ed572c257ed0fbfeb6bd04f85b65b09877f2644eb0fd0f59f81

      SHA512

      4bbfbf9c9813778096a222ac217d3e2e9f03e13e1fb5670019f7f3deb819d4ab9aed5689f030081a3a668dee8d8841dd85fa16d17df9cf6e3282ac32413641b5

      Download Submit

    • C:\ProgramData\8F6C.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      dcaa178360b1847f7be0d307ffe75445

      SHA1

      8d2603d7bcc8ec2f7aa5d62c90a8cc01a04c1a7d

      SHA256

      cb975aaf8a3df765e3dd8c7dc31bdc4491a86aeda110eed70346ea192a79097e

      SHA512

      299c2d576c922f51e4ffca0f656c758d1ba8057bfff62735d79b59a75940e9f1c0497d3b32d8762ecb21f71795576e10fedf90e12798e9651f492009ab1649e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{F666C2D0-7F95-4151-8065-5C726A1F5029}
      Filesize

      4KB

      MD5

      e9d35583147fcead4e2e8df8fbee9cbd

      SHA1

      f94a8fdf9e7ae3894825bac46c5ebc704c5a0c67

      SHA256

      ba7a01230305460d7054588eed607e6699e674bdb488cd43f23a69000944b5e0

      SHA512

      e0e0a74738a59ea20e2df9fb7d2b4f54e40ff30bd6f6a35d39efe8f9d0557bc38407aecd19974aa20e8b2d12184e86ea860bf4ee7d7c4b894fa450440bf88a35

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      089d66aa1beebea9d759e1f88f010a5b

      SHA1

      d503e75214c441817065e5d11c406644f522707f

      SHA256

      1030e554ec3086e52faef25429dd5726c12989c1ce4017a56cd08df6f4e58b50

      SHA512

      323cf81240d2955e3f1d5ac1cac4e7a19dfa0fc134a66a5456f66436b8e23d48be00150c8015c9255fe9c9a190cf6df88147edcc04967b6ba0145e619b8d326e

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1279544337-3716153908-718418795-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      875fbc6a6b49a095712c42a27dee9525

      SHA1

      d704108cf794ac7d3e810d05da0942f9e7ab692a

      SHA256

      3dc00777ceb3625345286cc6c8afdaf6e2da0fe821453457f5889717e22140be

      SHA512

      f6b3729e7a5bc277e40e0184bc6ae9caf3a9f84d1e4f08a468db3b3f6bfcef7013a227e6de3c84aba6b7c4f4f4301f742a77e2db395bcb8840d986f09a1cb281

      Download Submit

    • memory/3932-3425-0x00007FFD364C0000-0x00007FFD364D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3932-3420-0x00007FFD38C70000-0x00007FFD38C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3932-3424-0x00007FFD38C70000-0x00007FFD38C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3932-3423-0x00007FFD38C70000-0x00007FFD38C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3932-3422-0x00007FFD38C70000-0x00007FFD38C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3932-3421-0x00007FFD38C70000-0x00007FFD38C80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3932-3426-0x00007FFD364C0000-0x00007FFD364D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-3377-0x0000000002FF0000-0x0000000003000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-1-0x0000000002FF0000-0x0000000003000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-2-0x0000000002FF0000-0x0000000003000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-3376-0x0000000002FF0000-0x0000000003000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-3375-0x0000000002FF0000-0x0000000003000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-0-0x0000000002FF0000-0x0000000003000000-memory.dmp

      Filesize

      64KB

      Download