Analysis

  • max time kernel
    6s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 00:58

General

  • Target

    LisectAVT_2403002B_153.exe

  • Size

    444KB

  • MD5

    ef6da88c6be6fb9b3da57d60ba73fc42

  • SHA1

    d91a8cdf950085dd1eff243452ff41d165baad3f

  • SHA256

    60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8

  • SHA512

    15ebe4b168b34fcbef387fc87fbdda37b68cd16b24f5d03aa609725fc20dd0ad9f251c57d9527378a33ad15d258b0bff8ac4e350bdcc76c673de7d9711dc5dbb

  • SSDEEP

    6144:0UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMVv:nvmVe9h1qEtkBzw0tQ

Malware Config

Extracted

Path

C:\$Recycle.Bin\LKLXS-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .LKLXS The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1ddd30d12a33ed1c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIzQqdc2FRBeSmMryYI8b1Dgs+WVP+q85zDHILBFsOi3OfWqu44Kz96Am3Mfj4MixmzUtpNtcCyYywi1OGUdk3iaDtbR9mjbNSgTGBc4nOhgA/i0xW35Vg6vkHi9qrHyAbe6cWo8FoAWC3zQn4uFBOeR5Z91PyjCQizv0pJsJ/imLyeFOtedscW+tVOTwvhgNYo8+dKESKYzcwL+M13x8OYxq5IrE7E55AzZayXfAXwXjbyaq+RzNAwRvMwod8c/hiGpXIBMxGYes9S5LftVnuPBRTtXb4bMr4nDRhuNOmhW6RC47YLh/jSFERnJh760vSyck++H9gQ30PaNf0Eb0rYkpSDb8n+iH2EM4HJbzv751ZbTRJX/StsQg6/AWnkUlymp1/okfGPeYyOFNASxSU71go0B1DwkNgSaVBmpZ7lcn4cpffZgmA5bOvsvMmaqqtTaeLDhcgFN6yhRuaJKHjd12h+t5VqyDxo0lX9da2zyIXbm2lybXmhuWvc5vaLQ0i5F6bmWfqIRU68zyPEtWQtJ4qxbsX9nBmOnyKLQuLb4KKa8pXGx0LSYjXvxu84cM2ze7wEOwhxhH1MVWYhWuqnNa0RFGlxqDdZtAbqx72XK7EdJNNp0Jf7cojYambLmyWbfPjRmqzP8bD9Q40hQ+tDNZr+dd/jC4N9yvJDDQliLdi/0TvPz2D07A34Fxy6kHI/9HOh5Ta73cdBzinmhufNAK6ZU3AZaSVoL6Flw9Z+PNyRgIcBKfj1bQL4jzoMHTN36BmKa9OAcOuEVZWGIMclM+XQSKAs++gHqxYiICgKZIxFa5TO+x56FP0HCo0SLZ790JfqPUEPsWbjs+itNaVQ0l3rgd9u1YN7b4qlWI2nugpGK0lYfwS5gl9jHax13zAYFh7V1m4h1ECdCqyr7MSSVEpYrZYWLos2lazP7v2Cbu1vi+RvJyF3TuDm6NBrfNBZrBX3a6GJ2c2lDpWUa21UDUcrt6Feg/HpJ3VMJafH3vvbtG34fdRdj+1BjyrelHdSmqWYcIB/cpKiA1chMDT1md5/ghJAIihSvLa09cIJ8fl0jVx3m/KdVb7nX6mG1owp3HFs5ejyeplYV+ura8wvZC3UgXCdFWJzpRLJraH1ml2SDyVu+I+qt2jytazbS5ligRsL26gMfRM/ru/67O3Wf53R4v2E8PHryXPuDKPsuzZfoPnK1VjXWdSw95pOQBj//Se4BpSonqg8eXziviOW1aIlxuST3Bnl1ohg5/qE/Fbpbn+WdRsKGXp1elNCymGC3qyMBVbLt5JrFdvJDgUCzksIZM9ZzhDH0m3RJ745zwqsB0gjiTmG+EDUJxXKqAqPsWKTjM/iVPIiyCXgg5yM5NDn4zMelJ26+/Gi6GZDVRU0/LjmAWrIBK3epIqxBIv5KLHjvhkGe5pAPm2cUkjYCV4E6U+kCx6vJKO38Aex+aOPvMRbRq6BgwBuTgGBrhWNQYk40zCLufiVHxR18Miu+rh1G5n7/E9b0V1FtIY4Enf1VNx7URjn6HJUbw+FwBLZGUgIvk31zwp3lVwFil9HAurhYWTO2dG9hBTuiGhOi2COlNFqsteZW7aNzRv7lb0Qk0zV/SNfUf0w2ZsgQR3kRkI96DHDHgMjcdU6B5Gkj5DVLqy0ke0cdwUJI3Unu6LgFZvAZWgTP6lVOxw42JAXXgAGQyiWSvDVZaAq+KQneKjzIiCNo2kpbtH9H01RXwY87Yv00hOjEQzB17PedB1TN/XomOgL1yM2fAo18h1SOGc0wgkLo4Qxu/x3dPWpxxtxkVCut+XiAMFK5eV49LIbjqDEuQFKYGY9f8Mw2yLVw6BOd2H6PPi8UTS5kzJrmtM1ymMHNSvjq7nXrMzUrby1kJGMzKz6OCeCbxTHUNzk0YjiVFXwGZw9GrMoB8bF/Z+QG5n/mbbn9J7ECZJxOh6Spxzm6d6j3ubYxoG8fmrVkZm6JjCkgBv8FxXjDHG19aCdnJopPYeM5nFI3cSqhPl9IntVMkLaDUnPIy12tWs9h+cSDvoFypwjWBXE+ZynNjjyS8xmAo3NoimFeOgjptB+u8u0GZSAVr/jRUEMc/7zkGGookpjnAm4k1m8Brn8fEr1hEkxpZ5k2iXXfAtkjx91JNr012Uy8ILFAG+xTTmrfZnBsh9EJIcU0oNiQwS1yZGJpGfmzDQ4GvDK+hCTnR6hcUvhiUoSNR01n4bW4lybImAQa7WzDr6e9uEf1HqvMnotirwM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZBTphRvXYG7nVWqLfSTHaHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4eLw/zI2ReslGttYOFqCBiXt/BHVEdob9CdG4ti4aKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vDLNuav1wAZNHQURl2KYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/1ddd30d12a33ed1c

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (269) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe
    "C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
      C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\70db0da5.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3620
    • C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\System32\wermgr.exe"
      2⤵
      • Drops startup file
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1628
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
          PID:4468
    • C:\Windows\servicing\TrustedInstaller.exe
      C:\Windows\servicing\TrustedInstaller.exe
      1⤵
        PID:3620
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\LKLXS-DECRYPT.txt

          Filesize

          8KB

          MD5

          53dc00d9d71e920f7c59119f4e90c0ef

          SHA1

          7780c4c32f43a0d8b09aa1e6e918bb4b4d2eb7dd

          SHA256

          dd1d3250e11a545a0dedca054b9295118727dfba9923a36691ec04bbcbe4a817

          SHA512

          01ee3c60f1a7075fd572653336b7b25948775db9fcf064f75776d16709d5936dfebdad616e3c934491a582bb8c06bac6ab6096a9bbb79e5f5a7e270f9dc16767

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\k2[1].rar

          Filesize

          4B

          MD5

          d3b07384d113edec49eaa6238ad5ff00

          SHA1

          f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

          SHA256

          b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

          SHA512

          0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

        • C:\Users\Admin\AppData\Local\Temp\52FA2C60.exe

          Filesize

          4B

          MD5

          20879c987e2f9a916e578386d499f629

          SHA1

          c7b33ddcc42361fdb847036fc07e880b81935d5d

          SHA256

          9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

          SHA512

          bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

        • C:\Users\Admin\AppData\Local\Temp\70db0da5.bat

          Filesize

          187B

          MD5

          c74ab11b29ba6e63de588277a9892300

          SHA1

          8026bbba6b39e5334ef226e3101c0a8fb179cda5

          SHA256

          aea1b22012c716cd36203f338048b1e1f710af0a976a2bbca04d0ce7b3a0b082

          SHA512

          b24222ffba33ea90d2332b753de8d214ccf3bb319c4d4d6f0a66e8b59728e84db0f981330829ad1958476b45b2ddb035c3449ee55449f5107100a41c5da0bb9a

        • C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe

          Filesize

          15KB

          MD5

          f7d21de5c4e81341eccd280c11ddcc9a

          SHA1

          d4e9ef10d7685d491583c6fa93ae5d9105d815bd

          SHA256

          4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

          SHA512

          e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

        • memory/1436-8-0x0000000000414000-0x000000000041B000-memory.dmp

          Filesize

          28KB

        • memory/1436-7-0x0000000000400000-0x000000000046F000-memory.dmp

          Filesize

          444KB

        • memory/1436-0-0x0000000000400000-0x000000000046F000-memory.dmp

          Filesize

          444KB

        • memory/1628-50-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1628-928-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1628-936-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1688-48-0x0000000000430000-0x0000000000439000-memory.dmp

          Filesize

          36KB

        • memory/1688-4-0x0000000000430000-0x0000000000439000-memory.dmp

          Filesize

          36KB