Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 08:06
Static task
static1
Behavioral task
behavioral1
Sample
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe
Resource
win10v20210410
General
-
Target
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe
-
Size
229KB
-
MD5
d0ad1509cda862e6c3d86a2989748003
-
SHA1
a1d2a91ad0cb1419bfb663a67abbc340f4806eb1
-
SHA256
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c
-
SHA512
4665e360c9d369d821c9ff93173c812db6ae9297746434ad17a9f3c8f8826ae8e2c201259ccf125d1e014d7eeae0fe4ac3be309d93fe9dff8bc08de150975f09
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3212-115-0x0000000000BB0000-0x0000000000BC7000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wxavbhzlffc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bggwhn.exe\"" f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exedescription ioc process File opened (read-only) \??\N: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\P: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\X: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\Z: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\E: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\Q: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\S: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\T: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\U: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\W: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\M: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\A: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\B: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\G: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\H: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\I: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\K: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\L: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\O: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\R: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\Y: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\F: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\J: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe File opened (read-only) \??\V: f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3424 3212 WerFault.exe f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exeWerFault.exepid process 3212 f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe 3212 f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe 3212 f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe 3212 f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3424 WerFault.exe Token: SeBackupPrivilege 3424 WerFault.exe Token: SeDebugPrivilege 3424 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe"C:\Users\Admin\AppData\Local\Temp\f4bc9196dc7eb796af047f8655fab607d910ecfd4ba2eeadd9ea931fdda9498c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 12482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken