Analysis
-
max time kernel
6s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
LisectAVT_2403002B_153.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
LisectAVT_2403002B_153.exe
Resource
win10v2004-20240709-en
General
-
Target
LisectAVT_2403002B_153.exe
-
Size
444KB
-
MD5
ef6da88c6be6fb9b3da57d60ba73fc42
-
SHA1
d91a8cdf950085dd1eff243452ff41d165baad3f
-
SHA256
60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8
-
SHA512
15ebe4b168b34fcbef387fc87fbdda37b68cd16b24f5d03aa609725fc20dd0ad9f251c57d9527378a33ad15d258b0bff8ac4e350bdcc76c673de7d9711dc5dbb
-
SSDEEP
6144:0UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMVv:nvmVe9h1qEtkBzw0tQ
Malware Config
Extracted
C:\$Recycle.Bin\LKLXS-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1ddd30d12a33ed1c
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MGTDPP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation MGTDPP.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LKLXS-DECRYPT.txt wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\2a33eaf12a33ed1d311.lock wermgr.exe -
Executes dropped EXE 1 IoCs
Processes:
MGTDPP.exepid process 1688 MGTDPP.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wermgr.exedescription ioc process File opened (read-only) \??\J: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\S: wermgr.exe File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\Z: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\U: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\B: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\H: wermgr.exe File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\T: wermgr.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MGTDPP.exewermgr.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe MGTDPP.exe File opened for modification C:\Program Files\RegisterWrite.WTV wermgr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE MGTDPP.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe MGTDPP.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe MGTDPP.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe MGTDPP.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe MGTDPP.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe MGTDPP.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe MGTDPP.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe MGTDPP.exe File created C:\Program Files (x86)\LKLXS-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe MGTDPP.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe MGTDPP.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe MGTDPP.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe MGTDPP.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe MGTDPP.exe File opened for modification C:\Program Files\DisableRegister.pptx wermgr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe MGTDPP.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe MGTDPP.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE MGTDPP.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe MGTDPP.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe MGTDPP.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe MGTDPP.exe File opened for modification C:\Program Files\RenameFormat.mp4 wermgr.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe MGTDPP.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE MGTDPP.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe MGTDPP.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe MGTDPP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exewermgr.exeLisectAVT_2403002B_153.exeMGTDPP.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LisectAVT_2403002B_153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MGTDPP.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wermgr.exepid process 1628 wermgr.exe 1628 wermgr.exe 1628 wermgr.exe 1628 wermgr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
LisectAVT_2403002B_153.exeMGTDPP.exedescription pid process target process PID 1436 wrote to memory of 1688 1436 LisectAVT_2403002B_153.exe MGTDPP.exe PID 1436 wrote to memory of 1688 1436 LisectAVT_2403002B_153.exe MGTDPP.exe PID 1436 wrote to memory of 1688 1436 LisectAVT_2403002B_153.exe MGTDPP.exe PID 1688 wrote to memory of 3620 1688 MGTDPP.exe TrustedInstaller.exe PID 1688 wrote to memory of 3620 1688 MGTDPP.exe TrustedInstaller.exe PID 1688 wrote to memory of 3620 1688 MGTDPP.exe TrustedInstaller.exe PID 1436 wrote to memory of 1628 1436 LisectAVT_2403002B_153.exe wermgr.exe PID 1436 wrote to memory of 1628 1436 LisectAVT_2403002B_153.exe wermgr.exe PID 1436 wrote to memory of 1628 1436 LisectAVT_2403002B_153.exe wermgr.exe PID 1436 wrote to memory of 1628 1436 LisectAVT_2403002B_153.exe wermgr.exe PID 1436 wrote to memory of 1628 1436 LisectAVT_2403002B_153.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exeC:\Users\Admin\AppData\Local\Temp\MGTDPP.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\70db0da5.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵PID:4468
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3620
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD553dc00d9d71e920f7c59119f4e90c0ef
SHA17780c4c32f43a0d8b09aa1e6e918bb4b4d2eb7dd
SHA256dd1d3250e11a545a0dedca054b9295118727dfba9923a36691ec04bbcbe4a817
SHA51201ee3c60f1a7075fd572653336b7b25948775db9fcf064f75776d16709d5936dfebdad616e3c934491a582bb8c06bac6ab6096a9bbb79e5f5a7e270f9dc16767
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
187B
MD5c74ab11b29ba6e63de588277a9892300
SHA18026bbba6b39e5334ef226e3101c0a8fb179cda5
SHA256aea1b22012c716cd36203f338048b1e1f710af0a976a2bbca04d0ce7b3a0b082
SHA512b24222ffba33ea90d2332b753de8d214ccf3bb319c4d4d6f0a66e8b59728e84db0f981330829ad1958476b45b2ddb035c3449ee55449f5107100a41c5da0bb9a
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3