DragonForce, Play, and RansomHub Collide in One Intrusion

A six-day intrusion observed in September 2024 is documented by The DFIR Report, ending without encryption but revealing meaningful overlap in tradecraft across three ransomware gangs: DragonForce, Play, and RansomHub. Investigators note a convergence of tooling and techniques with distinct artifacts attributable to each group alongside shared methods. Common utilities across all three included “AdFind,” “NetScan,” “PsExec,” “WinRAR,” and “WinSCP,” while DragonForce and Play both relied on SystemBC for tunneling and command-and-control (C2). Play and RansomHub were linked through the use of Impacket’s WMIExec for remote execution and lateral movement. The case shows how affiliates can mix tooling from multiple brands of ransomware service, producing a blended footprint that complicates attribution while preserving a consistent operational goal: steal data, expand access, and prepare the environment for potential impact.

Day one activity measured 1 hour 38 minutes, began with a trojanized “EarthTime.exe” that established persistence via a Startup “.lnk” and launched “cmd.exe” (no arguments), which spawned “MSBuild.exe” (also without arguments). Based on execution patterns previously tracked by threat teams, The DFIR Report attributes this stage to “SecTopRAT/ArechClient2,“ which retrieved configuration from pastebin[.]com before contacting its C2. The adversary added a local administrator “Admon,” ran local/discovery via “chcp,” and executed a suspicious DLL “WakeWordEngine.dll” with “rundll32.exe” residing in the “c:\Users\Public” directory, identifying a SystemBC component staged in a public directory. Before closing day one, the operators conducted credential access through DCSync and executed a PowerShell script against the Veeam database, while lateral movement proceeded over RDP and via “PsExec” with service-level privileges. As The DFIR Report states, “By utilizing the ‘-s’ parameter, the adversaries were able to execute malicious binaries with SYSTEM-level privileges, effectively escalating from their initial user-level access to the highest administrative privileges on the Windows system,” underscoring the role of PsExec in privilege elevation.
On day two (1 hour 56 minutes), re-entry occurred through RDP sessions traversing the SystemBC proxy, followed by collection and staging on a file server using “WinRAR,” and exfiltration via “WinSCP” to an external FTP endpoint. Directory and host reconnaissance expanded with the “Get-ADComputer” PowerShell cmdlet, “AdFind” queries, Play-linked “Grixba/GT_NET.exe,” SoftPerfect “netscan.exe,” and “SharpHound” (as a DLL renamed “PrimeTools.dll”). The DFIR Report highlights tailored scanning: netscan executed from “C:\Users\Public\Music\123\123\netscan.exe” probed ports 135/445/3389 across dozens of addresses, and review of “netscan.xml” showed options tuned to push “PsExec” based script runs (for example, “newuser.bat,” “openrdp.bat,” “start.bat”) to remote systems. Additional artifacts included BloodHound output written to atypical paths and archive/log files in public folders, indicating sustained domain mapping and file discovery.

Activity paused from day two and resumed on day six (3 hours 25 minutes) with deployment of the Betruger backdoor, executed as “C:\Users\Public\Music\ccs.exe” under an “MSBuild.exe” parent. The DFIR Report (corroborating prior public research from Symantec) describes Betruger as a multi-function toolset supporting screenshot capture, keystroke logging, file exfiltration, network reconnaissance, privilege escalation, and credential harvesting purpose, built to consolidate pre-ransomware steps. Telemetry spiked as “ccs.exe” injected into the memory of 172 running processes and accessed LSASS for credential material, while reconnaissance repeated through native commands: “whoami,” “nltest /domain_trusts,” “nltest /dclist:,” “ping,” “net user,” and “net group "domain admins".” In parallel, Impacket “WMIExec” was used from the domain controller to fan out additional enumeration, and new RDP logons touched further hosts. Three C2 channels were present across the engagement: SecTopRAT, SystemBC, and Betruger, supporting persistence, pivoting, and late-stage staging.

While encryption never executed, the operators completed data theft and advanced staging steps characteristic of ransomware affiliates, and the toolchain mapped cleanly to a multi-affiliate model, per The DFIR Report’s analysis. Indicators tying activity to Play included “Grixba/GT_NET.exe” and “GRB_NET.exe” plus the consistent use of “C:\Users\Public\Music\” as a staging directory; RansomHub alignment came through the Betruger backdoor and BITS, based file moves; and DragonForce linkage surfaced in legacy “NetScan” outputs referencing a separate victim later listed on that group’s leak site. From a telemetry perspective, notable footprints included Startup folder “.lnk” persistence, “MSBuild.exe” execution without command lines, “rundll32.exe” invoking “WakeWordEngine.dll” from a public music folder with the “Reset” export, AD replication events (DCSync), PowerShell Script Block logs (Event ID 4104) tied to database credential extraction, authentication bursts (Event ID 4776) following backdoor deployment, and FTP clear-text transfers of “WinRAR” archives. The picture that emerges is a disciplined affiliate using blended TTPs, shared discovery tools, dual tunneling and C2 layers, and repeatable living-off-the-land pivots, to reach exfiltration and position the environment for potential ransomware, as detailed by The DFIR Report.