Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
LisectAVT_2403002B_153.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
LisectAVT_2403002B_153.exe
Resource
win10v2004-20240709-en
General
-
Target
LisectAVT_2403002B_153.exe
-
Size
444KB
-
MD5
ef6da88c6be6fb9b3da57d60ba73fc42
-
SHA1
d91a8cdf950085dd1eff243452ff41d165baad3f
-
SHA256
60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8
-
SHA512
15ebe4b168b34fcbef387fc87fbdda37b68cd16b24f5d03aa609725fc20dd0ad9f251c57d9527378a33ad15d258b0bff8ac4e350bdcc76c673de7d9711dc5dbb
-
SSDEEP
6144:0UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMVv:nvmVe9h1qEtkBzw0tQ
Malware Config
Extracted
C:\MSOCache\WIMFZFOBXY-DECRYPT.txt
http://gandcrabmfe6mnef.onion/70f8d3f01256e468
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (285) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MGTDPP.exe aspack_v212_v242 -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WIMFZFOBXY-DECRYPT.txt wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1256e3851256e469311.lock wermgr.exe -
Executes dropped EXE 1 IoCs
Processes:
MGTDPP.exepid process 2992 MGTDPP.exe -
Loads dropped DLL 2 IoCs
Processes:
LisectAVT_2403002B_153.exepid process 2332 LisectAVT_2403002B_153.exe 2332 LisectAVT_2403002B_153.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wermgr.exedescription ioc process File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\Z: wermgr.exe File opened (read-only) \??\B: wermgr.exe File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\T: wermgr.exe File opened (read-only) \??\U: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\J: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\H: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\S: wermgr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wermgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" wermgr.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MGTDPP.exewermgr.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\bin\klist.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE MGTDPP.exe File opened for modification C:\Program Files\RequestSearch.dotm wermgr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE MGTDPP.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe MGTDPP.exe File opened for modification C:\Program Files\UseSet.tiff wermgr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe MGTDPP.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe MGTDPP.exe File created C:\Program Files (x86)\WIMFZFOBXY-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe MGTDPP.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe MGTDPP.exe File opened for modification C:\Program Files\7-Zip\7z.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe MGTDPP.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe MGTDPP.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe MGTDPP.exe File opened for modification C:\Program Files\InstallRestart.vsw wermgr.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe MGTDPP.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe MGTDPP.exe File opened for modification C:\Program Files\DenyUnlock.xhtml wermgr.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE MGTDPP.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe MGTDPP.exe File opened for modification C:\Program Files\EnableSave.hta wermgr.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe MGTDPP.exe File opened for modification C:\Program Files\Windows Mail\wab.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE MGTDPP.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1256e3851256e469311.lock wermgr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE MGTDPP.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe MGTDPP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
LisectAVT_2403002B_153.exewermgr.exeMGTDPP.execmd.exewmic.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LisectAVT_2403002B_153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MGTDPP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wermgr.exepid process 2772 wermgr.exe 2772 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 328 wmic.exe Token: SeSecurityPrivilege 328 wmic.exe Token: SeTakeOwnershipPrivilege 328 wmic.exe Token: SeLoadDriverPrivilege 328 wmic.exe Token: SeSystemProfilePrivilege 328 wmic.exe Token: SeSystemtimePrivilege 328 wmic.exe Token: SeProfSingleProcessPrivilege 328 wmic.exe Token: SeIncBasePriorityPrivilege 328 wmic.exe Token: SeCreatePagefilePrivilege 328 wmic.exe Token: SeBackupPrivilege 328 wmic.exe Token: SeRestorePrivilege 328 wmic.exe Token: SeShutdownPrivilege 328 wmic.exe Token: SeDebugPrivilege 328 wmic.exe Token: SeSystemEnvironmentPrivilege 328 wmic.exe Token: SeRemoteShutdownPrivilege 328 wmic.exe Token: SeUndockPrivilege 328 wmic.exe Token: SeManageVolumePrivilege 328 wmic.exe Token: 33 328 wmic.exe Token: 34 328 wmic.exe Token: 35 328 wmic.exe Token: SeIncreaseQuotaPrivilege 328 wmic.exe Token: SeSecurityPrivilege 328 wmic.exe Token: SeTakeOwnershipPrivilege 328 wmic.exe Token: SeLoadDriverPrivilege 328 wmic.exe Token: SeSystemProfilePrivilege 328 wmic.exe Token: SeSystemtimePrivilege 328 wmic.exe Token: SeProfSingleProcessPrivilege 328 wmic.exe Token: SeIncBasePriorityPrivilege 328 wmic.exe Token: SeCreatePagefilePrivilege 328 wmic.exe Token: SeBackupPrivilege 328 wmic.exe Token: SeRestorePrivilege 328 wmic.exe Token: SeShutdownPrivilege 328 wmic.exe Token: SeDebugPrivilege 328 wmic.exe Token: SeSystemEnvironmentPrivilege 328 wmic.exe Token: SeRemoteShutdownPrivilege 328 wmic.exe Token: SeUndockPrivilege 328 wmic.exe Token: SeManageVolumePrivilege 328 wmic.exe Token: 33 328 wmic.exe Token: 34 328 wmic.exe Token: 35 328 wmic.exe Token: SeBackupPrivilege 2168 vssvc.exe Token: SeRestorePrivilege 2168 vssvc.exe Token: SeAuditPrivilege 2168 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
LisectAVT_2403002B_153.exeMGTDPP.exewermgr.exedescription pid process target process PID 2332 wrote to memory of 2992 2332 LisectAVT_2403002B_153.exe MGTDPP.exe PID 2332 wrote to memory of 2992 2332 LisectAVT_2403002B_153.exe MGTDPP.exe PID 2332 wrote to memory of 2992 2332 LisectAVT_2403002B_153.exe MGTDPP.exe PID 2332 wrote to memory of 2992 2332 LisectAVT_2403002B_153.exe MGTDPP.exe PID 2332 wrote to memory of 2772 2332 LisectAVT_2403002B_153.exe wermgr.exe PID 2332 wrote to memory of 2772 2332 LisectAVT_2403002B_153.exe wermgr.exe PID 2332 wrote to memory of 2772 2332 LisectAVT_2403002B_153.exe wermgr.exe PID 2332 wrote to memory of 2772 2332 LisectAVT_2403002B_153.exe wermgr.exe PID 2332 wrote to memory of 2772 2332 LisectAVT_2403002B_153.exe wermgr.exe PID 2332 wrote to memory of 2772 2332 LisectAVT_2403002B_153.exe wermgr.exe PID 2992 wrote to memory of 1460 2992 MGTDPP.exe cmd.exe PID 2992 wrote to memory of 1460 2992 MGTDPP.exe cmd.exe PID 2992 wrote to memory of 1460 2992 MGTDPP.exe cmd.exe PID 2992 wrote to memory of 1460 2992 MGTDPP.exe cmd.exe PID 2772 wrote to memory of 328 2772 wermgr.exe wmic.exe PID 2772 wrote to memory of 328 2772 wermgr.exe wmic.exe PID 2772 wrote to memory of 328 2772 wermgr.exe wmic.exe PID 2772 wrote to memory of 328 2772 wermgr.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exeC:\Users\Admin\AppData\Local\Temp\MGTDPP.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0017094c.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:328
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5209410f96f3db0862f7e91a15780bac8
SHA152c77d623157b1da470e75efda577122ce95a43f
SHA2566b2152d1a217b92982a497d7200442c7599216cb24e7625a9d361a5eaf41aad9
SHA512a63bf10ec0e6873f96e88d21b9365de80441f7ae7e213796e8e58d489cd17232ffee03c38c51b83072dbf4bf52d22cac02108d7eef4967e978e97d9e2f305280
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD509e34f6608faf68d83e98448181c6eb8
SHA1ddb771c1b84dc056b51f5519743ba3ed438dc9b1
SHA256bcf6a6db95145f23b2a1df7108a2dae95a34ef7220359be4dd588ba216f8ca30
SHA51250dff6a505f3af5c70abc4ad1ddc76ed05a4042d56424ced75172d38c3363bf5bb21abee7d9037bfaf2db3458609424cef8f035d750fda0f6d3258d90cb20b6c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar
Filesize4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
187B
MD5bde2ecaa466d7648b04e39498c35ef8f
SHA1b348fda345219e0a3c44be4843fcee1cf3bdf6c6
SHA25666ea0e33a20a065e8add0cb57110ea274953816159528f84c7207c20cc1bbefe
SHA512b1f4b72e9ae4eb65b2ecea05244bf4adcd79f79596ad6d56298086aef7d91f7d71e9eabe3e903c74de41bd17e7b06ba03d159f7d39d6baf44cab422d71a10f01
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3