Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 00:58

General

  • Target

    LisectAVT_2403002B_153.exe

  • Size

    444KB

  • MD5

    ef6da88c6be6fb9b3da57d60ba73fc42

  • SHA1

    d91a8cdf950085dd1eff243452ff41d165baad3f

  • SHA256

    60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8

  • SHA512

    15ebe4b168b34fcbef387fc87fbdda37b68cd16b24f5d03aa609725fc20dd0ad9f251c57d9527378a33ad15d258b0bff8ac4e350bdcc76c673de7d9711dc5dbb

  • SSDEEP

    6144:0UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMVv:nvmVe9h1qEtkBzw0tQ

Malware Config

Extracted

Path

C:\MSOCache\WIMFZFOBXY-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WIMFZFOBXY The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/70f8d3f01256e468 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADpRfE3Rg4YUlifV8hyg3j8ziChtxi7XX0A0V/QtLGkCtGBx5sg4nv8qymZvG3VGCVR2AFYDR1RGJtoHmgPi6KlkUF7BDPyyMTxwJIfZ+TFshcSsq1fGjDMFuPQE/QIrzVOzJeKcs/dE59Npq+bcs4ltxXLomKasghKJk9FUgSUrCzqTTnU5S2S0lH14clWJ9ULkS2Rs9Eh0BYSLuSJP05Ly3cmQts9icnC8C73ig8IFH01+Sl8JA0El0wrkQrEiYHeJBMSVYci8A37/jaTpOL5aTG59oXLgVztnV8brzQFGhKE0F3d+c0bsfpPrrtyo5hCjqKCwIYwnhz202gXWD1mPR2bMDFot8X7JUgTbVLOfGmKQJKv0hC2zOAuQk4dzWhlYjTfLxs8QS7/I+WDytgpZ7Y03g62nzG88LeMuj3IcL0dybGpzKIqUsvNsJ8L3LN0mrkYtA6+tUj0JdpQ8xrVt9ZJeKeC7sYg3RNTBYw4ggAZ6tWPfBvzgJFvvIgUqEu9ZoPEDqEXjRq+2qu+72/WYPJsOTl/XZV7d62cJ8z4V5pPFbGhjPgL/T4t+yjpudZvQ4fsFLXSTJuaoT1qP4+IcLzCL+WCeusQCuGPcf3xPbQxRBtSO3x+y91D7tFztcbnitEn+iw05i7MjTTdEyG9QA6FqyZIHtsf02010k/Y66OhfPvMt1rzkeXL/P8MtrodkWrI2r1eKcl8/lIuKp3ugiuDuI60F1UPIOhjuahipG6OeP9eA0CU1B0lhSSGU2NZZ5NqIvfBXBfnoGEiZ7Ib1gV3gCe4OpRglfhtMDpUYEGDsKlso29QTw9qLCIOhu6ZkxOhkR3dH8HvRKMwyhTzI+6q+H67ckECkTl4g+jSOonlj1uln5cYPKITEGiPiLlc5smaPVcr7hgO58nWxSutJh2vZyhAS0kjBpT8Asxb6xUCkEOZNTVi6WyQAl1Iweqd3EF1ATHEUjrVNqTOkgedz/fFx1eUeze22OhswN2Ko9PN4jcQ96QpNVf29Jyx/SFyAja25TB/3bOf0cYHPBGjxl8ScLeatEU4JWHA8jhLoJdTkFLLNYk6qjHirLd6ur+SmxvwXokMqlofOfkl2Cmh5a8/jLdKdSkgRONdGO0R9xskDcFXcq+CD30VXLR97s76khVCHPNzLiP645gDTYvhwnOTAOq5OD1jR1JcZYO7bqhketgGrKp76hyUMXEpXmBjfHdHtStVcNR56Us+bCV+rARMsL8qFaBgiWMVVssb9Obi8zkye/mdkoTieZuNaQBXDw0cqxlda3VgreqayUcuPETCAkuGn50R3tA5r3ncRJdJDwWXF1JyoicVf2VSvhg44hZUuxvrpNWpFvYY5At5xvPtSOwVuvhAL94pYJXIkX0kCFr2i9nTTIgUij8EuYqGZ3FqIbjxV+mdlCxIG8ARFXHLEzxyHo2QYF9rkgsd8bsprt2QOC4LXzvpHg6u5/4bfzRi5z1jXtjQ28+EreRH4FGLvrUR8TfhBm/0uzIRwJV/ehLMI28PmYJ3keB3op3u64drGoGmqyayOUS6NEJRtgrl5AwYktBL0l44B7pJI73JhGPL1ptzK2CK8vSChO2LidR4WUHBVF5HiiSDJ4sMqAsNnPIhE4sNzTi36t/0KKNLbEoHVJOl2F3quO+H3SX2WrGu+hwUNJqJMfiQENJGzVwckYKFxAvGEqfnwvo2nUHVmP7khm7SwWkuh/6LKWoplM/fS6sObWFF/AhLtP8Gpy8VNWPBfeNDOwyBUMvwTr+QjfQFS8UwRgevWrs7sAhzkc9sCzWToLODue8k7quZco2DC3tN6H93SX8Z/7yKrlAEPb1TO6eO0a5cwBUZk7iVYFOdhlTrsB8rDE3Jye37D6UMuSHu9BGMz/L9YFg16dkLPXVJpVwzUupPa7Xf+9C9FGEd9gdy2ZgGdGhJqyLTvs2MINJoS6bH9X13VMP31rpGvvcJdUJspMKxA1+pUCrFyYLvzQRy+w2lnC5CPqOxh+u5tGmlERoJMFwuTabHFHFGJxlJ1OYLCI4n+1xrcIaPGr030FSAr1rPUPDYTzDJu3ojVhQLzCrSfWfnKqkvbFNZ0jGFSb0+OQFxpXT/EwzS4GN9t6mZQMl9pttOnoqvjFhANDMo1F1lwJp5Ojg1ZQa0CE2jCNeKwjmbR8U0BOWJdlt31ZaKP0Y5xF1xu/N5iGoy8O9+9dnWAcnrE33EWwLev/Yg/MCRV9zsvxNJWxkV2DJ0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZZTplRp3YV7mJWpLfdTHGHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi5LFykR7B6OLw/2U2R+smGtpYblqGBiHt+BHSEd8bqScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZirpCBFK3vXLMOau1wAZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHwHowOP7+LRYsPy4knV/fu67PJzMP9LnZDh5szqewLRaRtAf+EbjLWu+IPXpBeLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/70f8d3f01256e468

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (285) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe
    "C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
      C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0017094c.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1460
    • C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\System32\wermgr.exe"
      2⤵
      • Drops startup file
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\WIMFZFOBXY-DECRYPT.txt

    Filesize

    8KB

    MD5

    209410f96f3db0862f7e91a15780bac8

    SHA1

    52c77d623157b1da470e75efda577122ce95a43f

    SHA256

    6b2152d1a217b92982a497d7200442c7599216cb24e7625a9d361a5eaf41aad9

    SHA512

    a63bf10ec0e6873f96e88d21b9365de80441f7ae7e213796e8e58d489cd17232ffee03c38c51b83072dbf4bf52d22cac02108d7eef4967e978e97d9e2f305280

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    09e34f6608faf68d83e98448181c6eb8

    SHA1

    ddb771c1b84dc056b51f5519743ba3ed438dc9b1

    SHA256

    bcf6a6db95145f23b2a1df7108a2dae95a34ef7220359be4dd588ba216f8ca30

    SHA512

    50dff6a505f3af5c70abc4ad1ddc76ed05a4042d56424ced75172d38c3363bf5bb21abee7d9037bfaf2db3458609424cef8f035d750fda0f6d3258d90cb20b6c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar

    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

  • C:\Users\Admin\AppData\Local\Temp\0017094c.bat

    Filesize

    187B

    MD5

    bde2ecaa466d7648b04e39498c35ef8f

    SHA1

    b348fda345219e0a3c44be4843fcee1cf3bdf6c6

    SHA256

    66ea0e33a20a065e8add0cb57110ea274953816159528f84c7207c20cc1bbefe

    SHA512

    b1f4b72e9ae4eb65b2ecea05244bf4adcd79f79596ad6d56298086aef7d91f7d71e9eabe3e903c74de41bd17e7b06ba03d159f7d39d6baf44cab422d71a10f01

  • C:\Users\Admin\AppData\Local\Temp\28BC5723.exe

    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

  • C:\Users\Admin\AppData\Local\Temp\Cab4980.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar4A3F.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Local\Temp\MGTDPP.exe

    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/2332-8-0x0000000000260000-0x0000000000269000-memory.dmp

    Filesize

    36KB

  • memory/2332-15-0x0000000000414000-0x000000000041B000-memory.dmp

    Filesize

    28KB

  • memory/2332-14-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2332-0-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2332-9-0x0000000000260000-0x0000000000269000-memory.dmp

    Filesize

    36KB

  • memory/2772-819-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2992-416-0x00000000013C0000-0x00000000013C9000-memory.dmp

    Filesize

    36KB

  • memory/2992-11-0x00000000013C0000-0x00000000013C9000-memory.dmp

    Filesize

    36KB