Malware Analysis Report

2024-10-18 21:56

Sample ID 240725-bbkyvaxhnm
Target LisectAVT_2403002B_153.exe
SHA256 60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8
Tags
gandcrab aspackv2 backdoor credential_access defense_evasion discovery execution impact ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8

Threat Level: Known bad

The file LisectAVT_2403002B_153.exe was found to be: Known bad.

Malicious Activity Summary

gandcrab aspackv2 backdoor credential_access defense_evasion discovery execution impact ransomware stealer

Gandcrab

Renames multiple (285) files with added filename extension

Renames multiple (269) files with added filename extension

Deletes shadow copies

Credentials from Password Stores: Windows Credential Manager

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Drops startup file

Executes dropped EXE

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 00:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 00:58

Reported

2024-07-25 01:01

Platform

win7-20240708-en

Max time kernel

143s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (285) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WIMFZFOBXY-DECRYPT.txt C:\Windows\SysWOW64\wermgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1256e3851256e469311.lock C:\Windows\SysWOW64\wermgr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\wermgr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Windows\SysWOW64\wermgr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\RequestSearch.dotm C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\UseSet.tiff C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File created C:\Program Files (x86)\WIMFZFOBXY-DECRYPT.txt C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\InstallRestart.vsw C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\DenyUnlock.xhtml C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\EnableSave.hta C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1256e3851256e469311.lock C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wermgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\wermgr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 2332 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 2332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 2332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 2332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 2332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 2332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 2332 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 2992 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 328 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2772 wrote to memory of 328 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2772 wrote to memory of 328 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2772 wrote to memory of 328 N/A C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"

C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe

C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe

C:\Windows\SysWOW64\wermgr.exe

"C:\Windows\System32\wermgr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0017094c.bat" "

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
CH 217.26.53.161:443 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 92.123.143.185:80 r10.o.lencr.org tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 185.177.62.27:443 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:443 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 151.101.3.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 104.26.6.206:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 92.123.143.169:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 95.100.245.168:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:443 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.142.59:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
CH 128.65.195.228:443 www.torhotel.com tcp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.182.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.3:80 c.pki.goog tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
US 198.185.159.145:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 92.123.143.169:80 r10.o.lencr.org tcp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 52.215.95.29:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 crl.geotrust.com udp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.la-fontaine.com udp
DE 213.199.57.77:443 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
IE 54.194.127.198:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 185.107.56.195:443 www.hoteltruite.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.226:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 92.123.143.185:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 www.nh-hotels.com udp
GB 2.17.70.109:443 www.nh-hotels.com tcp
GB 2.17.70.109:443 www.nh-hotels.com tcp
GB 2.17.70.109:443 www.nh-hotels.com tcp
GB 2.17.70.109:443 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
CH 193.17.199.27:443 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
US 8.8.8.8:53 www.hiexgeneva.com udp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 www.hotelglanis.com udp
US 34.149.87.45:443 www.hotelglanis.com tcp
US 8.8.8.8:53 www.16eme.com udp
US 34.149.87.45:443 www.16eme.com tcp
US 8.8.8.8:53 www.staubbach.com udp
DE 104.248.24.229:443 www.staubbach.com tcp
US 8.8.8.8:53 www.samnaunerhof.com udp
AT 94.198.139.116:443 www.samnaunerhof.com tcp
US 8.8.8.8:53 www.airporthotelbasel.com udp
US 104.17.186.58:443 www.airporthotelbasel.com tcp
US 8.8.8.8:53 www.elite-biel.com udp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
US 8.8.8.8:53 www.aubergecouronne.com udp
FR 46.105.204.26:443 www.aubergecouronne.com tcp
US 8.8.8.8:53 www.le-saint-hubert.com udp
US 34.149.87.45:443 www.le-saint-hubert.com tcp
US 8.8.8.8:53 www.bonmont.com udp
CH 195.141.14.125:443 www.bonmont.com tcp
US 8.8.8.8:53 www.cm-lodge.com udp
CH 149.126.4.89:443 www.cm-lodge.com tcp
US 8.8.8.8:53 www.experimentalchalet.com udp
US 35.241.50.205:443 www.experimentalchalet.com tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.3:80 o.pki.goog tcp
US 8.8.8.8:53 www.guardagolf.com udp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
CH 83.166.138.8:443 www.guardagolf.com tcp
US 8.8.8.8:53 www.hotelchery.com udp
CH 185.220.247.251:443 www.hotelchery.com tcp
CH 185.220.247.251:443 www.hotelchery.com tcp
CH 185.220.247.251:443 www.hotelchery.com tcp
CH 185.220.247.251:443 www.hotelchery.com tcp
US 8.8.8.8:53 www.ibis.com udp
US 165.160.13.20:443 www.ibis.com tcp
US 165.160.15.20:443 www.ibis.com tcp

Files

memory/2332-0-0x0000000000400000-0x000000000046F000-memory.dmp

\Users\Admin\AppData\Local\Temp\MGTDPP.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/2332-9-0x0000000000260000-0x0000000000269000-memory.dmp

memory/2992-11-0x00000000013C0000-0x00000000013C9000-memory.dmp

memory/2332-8-0x0000000000260000-0x0000000000269000-memory.dmp

memory/2332-14-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2332-15-0x0000000000414000-0x000000000041B000-memory.dmp

C:\MSOCache\WIMFZFOBXY-DECRYPT.txt

MD5 209410f96f3db0862f7e91a15780bac8
SHA1 52c77d623157b1da470e75efda577122ce95a43f
SHA256 6b2152d1a217b92982a497d7200442c7599216cb24e7625a9d361a5eaf41aad9
SHA512 a63bf10ec0e6873f96e88d21b9365de80441f7ae7e213796e8e58d489cd17232ffee03c38c51b83072dbf4bf52d22cac02108d7eef4967e978e97d9e2f305280

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

C:\Users\Admin\AppData\Local\Temp\28BC5723.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Temp\0017094c.bat

MD5 bde2ecaa466d7648b04e39498c35ef8f
SHA1 b348fda345219e0a3c44be4843fcee1cf3bdf6c6
SHA256 66ea0e33a20a065e8add0cb57110ea274953816159528f84c7207c20cc1bbefe
SHA512 b1f4b72e9ae4eb65b2ecea05244bf4adcd79f79596ad6d56298086aef7d91f7d71e9eabe3e903c74de41bd17e7b06ba03d159f7d39d6baf44cab422d71a10f01

memory/2992-416-0x00000000013C0000-0x00000000013C9000-memory.dmp

memory/2772-819-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4980.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4A3F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09e34f6608faf68d83e98448181c6eb8
SHA1 ddb771c1b84dc056b51f5519743ba3ed438dc9b1
SHA256 bcf6a6db95145f23b2a1df7108a2dae95a34ef7220359be4dd588ba216f8ca30
SHA512 50dff6a505f3af5c70abc4ad1ddc76ed05a4042d56424ced75172d38c3363bf5bb21abee7d9037bfaf2db3458609424cef8f035d750fda0f6d3258d90cb20b6c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 00:58

Reported

2024-07-25 01:01

Platform

win10v2004-20240709-en

Max time kernel

6s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (269) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LKLXS-DECRYPT.txt C:\Windows\SysWOW64\wermgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\2a33eaf12a33ed1d311.lock C:\Windows\SysWOW64\wermgr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\wermgr.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\wermgr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\RegisterWrite.WTV C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File created C:\Program Files (x86)\LKLXS-DECRYPT.txt C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\DisableRegister.pptx C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\RenameFormat.mp4 C:\Windows\SysWOW64\wermgr.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wermgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\wermgr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 1436 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 1436 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
PID 1688 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\servicing\TrustedInstaller.exe
PID 1688 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\servicing\TrustedInstaller.exe
PID 1688 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe C:\Windows\servicing\TrustedInstaller.exe
PID 1436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 1436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 1436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 1436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe
PID 1436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe C:\Windows\SysWOW64\wermgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"

C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe

C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\70db0da5.bat" "

C:\Windows\SysWOW64\wermgr.exe

"C:\Windows\System32\wermgr.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ddos.dnsnb8.net udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 44.221.84.105:799 ddos.dnsnb8.net tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 92.123.143.169:80 r11.o.lencr.org tcp
US 8.8.8.8:53 22.249.75.77.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 169.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.53.161:443 www.haargenau.biz tcp
US 8.8.8.8:53 161.53.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 92.123.143.185:80 r10.o.lencr.org tcp
US 8.8.8.8:53 68.20.126.94.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 185.177.62.27:443 www.pizcam.com tcp
US 8.8.8.8:53 185.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 27.62.177.185.in-addr.arpa udp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:443 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
HK 38.207.226.122:443 www.hotelweisshorn.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 7.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.131.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 16.88.207.18.in-addr.arpa udp
US 8.8.8.8:53 52.131.101.151.in-addr.arpa udp
US 8.8.8.8:53 crl.starfieldtech.com udp
US 192.124.249.31:80 crl.starfieldtech.com tcp
US 8.8.8.8:53 hotel.hardrock.com udp
US 151.101.67.52:443 hotel.hardrock.com tcp
US 8.8.8.8:53 31.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 104.26.7.206:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 95.100.245.168:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
GB 18.132.18.63:443 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:443 www.hrk-ramoz.com tcp
US 8.8.8.8:53 206.7.26.104.in-addr.arpa udp
US 8.8.8.8:53 63.18.132.18.in-addr.arpa udp
US 8.8.8.8:53 52.67.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 140.162.243.136.in-addr.arpa udp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 5.33.186.213.in-addr.arpa udp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 13.138.166.83.in-addr.arpa udp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:443 www.torhotel.com tcp
US 8.8.8.8:53 228.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 76.55.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.aparthotelzurich.com udp
US 104.17.186.58:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.3:80 c.pki.goog tcp
US 8.8.8.8:53 58.186.17.104.in-addr.arpa udp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 174.195.65.128.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 elite-hotel.com udp
CH 80.74.144.93:443 elite-hotel.com tcp
US 8.8.8.8:53 93.144.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 63.35.51.142:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 142.51.35.63.in-addr.arpa udp
US 8.8.8.8:53 52.23.126.94.in-addr.arpa udp
US 8.8.8.8:53 nationalzermatt.ch udp
CH 94.126.23.52:443 nationalzermatt.ch tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
US 198.185.159.144:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 144.159.185.198.in-addr.arpa udp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 27.60.26.217.in-addr.arpa udp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 65.145.74.80.in-addr.arpa udp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 3.255.48.233:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 30.21.126.94.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 233.48.255.3.in-addr.arpa udp
US 8.8.8.8:53 www.la-fontaine.com udp
DE 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 77.57.199.213.in-addr.arpa udp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 54.194.127.198:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 3.67.141.185:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 198.127.194.54.in-addr.arpa udp
US 8.8.8.8:53 185.141.67.3.in-addr.arpa udp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 185.107.56.195:443 www.hoteltruite.com tcp
US 8.8.8.8:53 95.206.181.185.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 218.93.65.159.in-addr.arpa udp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.226:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 195.56.107.185.in-addr.arpa udp
US 8.8.8.8:53 144.236.248.151.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 kroneregensberg.com udp
CH 217.26.60.254:443 kroneregensberg.com tcp
US 8.8.8.8:53 254.60.26.217.in-addr.arpa udp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 189.54.26.217.in-addr.arpa udp
US 8.8.8.8:53 45.37.220.82.in-addr.arpa udp
US 8.8.8.8:53 www.nh-hotels.com udp
GB 2.17.70.109:443 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:443 www.schwendelberg.com tcp
US 8.8.8.8:53 76.133.166.83.in-addr.arpa udp
US 8.8.8.8:53 109.70.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 27.199.17.193.in-addr.arpa udp
US 8.8.8.8:53 144.128.33.193.in-addr.arpa udp
US 8.8.8.8:53 57.84.129.213.in-addr.arpa udp
US 8.8.8.8:53 94.201.201.81.in-addr.arpa udp
US 8.8.8.8:53 www.eyholz.info udp
CH 81.201.201.94:443 www.eyholz.info tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
NL 188.227.206.226:443 www.flemings-hotel.com tcp
US 8.8.8.8:53 www.hiexgeneva.com udp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 226.206.227.188.in-addr.arpa udp
US 8.8.8.8:53 70.73.23.81.in-addr.arpa udp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 116.139.198.94.in-addr.arpa udp
US 8.8.8.8:53 58.184.17.104.in-addr.arpa udp
US 8.8.8.8:53 udp
CH 94.126.23.52:443 www.elite-biel.com tcp
FR 46.105.204.26:443 tcp
US 8.8.8.8:53 www.le-saint-hubert.com udp
US 34.149.87.45:443 www.le-saint-hubert.com tcp
US 8.8.8.8:53 www.bonmont.com udp
CH 195.141.14.125:443 www.bonmont.com tcp
US 8.8.8.8:53 125.14.141.195.in-addr.arpa udp
US 8.8.8.8:53 www.cm-lodge.com udp
CH 149.126.4.89:443 www.cm-lodge.com tcp
US 8.8.8.8:53 89.4.126.149.in-addr.arpa udp
CH 83.166.138.8:443 tcp
US 8.8.8.8:53 guardagolf.com udp
CH 83.166.138.8:80 guardagolf.com tcp
CH 83.166.138.8:443 guardagolf.com tcp
US 8.8.8.8:53 www.hotelchery.com udp
CH 185.220.247.251:443 www.hotelchery.com tcp
US 165.160.13.20:443 tcp
US 165.160.15.20:443 tcp

Files

memory/1436-0-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe

MD5 f7d21de5c4e81341eccd280c11ddcc9a
SHA1 d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA256 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512 e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

memory/1688-4-0x0000000000430000-0x0000000000439000-memory.dmp

memory/1436-8-0x0000000000414000-0x000000000041B000-memory.dmp

memory/1436-7-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52FA2C60.exe

MD5 20879c987e2f9a916e578386d499f629
SHA1 c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA256 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512 bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\k2[1].rar

MD5 d3b07384d113edec49eaa6238ad5ff00
SHA1 f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256 b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA512 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

memory/1688-48-0x0000000000430000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70db0da5.bat

MD5 c74ab11b29ba6e63de588277a9892300
SHA1 8026bbba6b39e5334ef226e3101c0a8fb179cda5
SHA256 aea1b22012c716cd36203f338048b1e1f710af0a976a2bbca04d0ce7b3a0b082
SHA512 b24222ffba33ea90d2332b753de8d214ccf3bb319c4d4d6f0a66e8b59728e84db0f981330829ad1958476b45b2ddb035c3449ee55449f5107100a41c5da0bb9a

memory/1628-50-0x0000000000400000-0x0000000000428000-memory.dmp

C:\$Recycle.Bin\LKLXS-DECRYPT.txt

MD5 53dc00d9d71e920f7c59119f4e90c0ef
SHA1 7780c4c32f43a0d8b09aa1e6e918bb4b4d2eb7dd
SHA256 dd1d3250e11a545a0dedca054b9295118727dfba9923a36691ec04bbcbe4a817
SHA512 01ee3c60f1a7075fd572653336b7b25948775db9fcf064f75776d16709d5936dfebdad616e3c934491a582bb8c06bac6ab6096a9bbb79e5f5a7e270f9dc16767

memory/1628-928-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1628-936-0x0000000000400000-0x0000000000428000-memory.dmp