Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-06-2021 14:38
General
-
Target
463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604.exe
-
Size
169KB
-
MD5
e39a000a6c0925438b1bf9a4a9b19745
-
SHA1
65edffb71bc17b8fcb7a9b102952189fe13b1c4f
-
SHA256
463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604
-
SHA512
1fb459c5b06ff194c3ef399d5b2187667abec959978e75ba1c04148ff43c9bff7246bc513c5a32fe815d16915b90bb7910120bd7d9865d49c1e8e91bc34cbafd
Score
10/10
Malware Config
Extracted
Path
C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/6fa755ca9d8583c1
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAANz/LpMeLMaqWLO5no/F/+BQ4przNRO3yFNV/GFoP6SmpKDtNxHP25KOcxJc23rzj1jSn9dm7QmSajD4vqzIT27MUmjtTLpIrT6RUIxEHSQHTO/yyPOFgSKhfElHyrfFvG4bclNbPEtcQJKOyznbplpInPwlZILsjSzXrgtvX23D/wPuVGhZ855xw0/SRIURZnNktrv5yhXtzbKs5Row5P7IjytBpDJLMqPY/V60ziuk6695m8Pz9tf22aqNQMxK8kN+17ol7c8vAcFY8DjTmeCqZJVaCtbbMNgUpLjLMeQ9Mu5SYKBRG4rRK407eNAYTYsQ7K+piE+lGyeBI52Mwl7CWrgET+rS+x3L4QB4jpl6t9m84YS7LXHUa486F3Xfplo/z4lWWWrU7ZEmY3kbXAg6Dg8xmIaFM181mUG21MCsTiMKY3w/5bHZHtlrP92R6H7YnNxLDXb1kVHwMZcgGt7kY274zdB9xnKpHHyWRfLYyxqZZg1umvncFd0mluzwAmIxxbPOvfM1oRPBT3NXfCjAHHMUjhvDkxA14jZBng0qj77o/+IMWPluJRW0Jx3/BcD2HGzuwln+tnasMD+l9mHVFrfSier+afIPv/jAX/Qb+qZXsUmBEGQHGnemAWpm1y5JBkwuA2ISGDuYfPOjF/0lbMHWCECSeexc4hFcfJ+j3us64wtt5/YuvjMOaLZL0xzJLPwQqKIct5yhWo4Em24taVkFPXJs6ZGJjcWhvja5HiQ7+FqiKT+JkDy8TH10p0qOhG2wCsU3AFZOXk1X7oUG+MTOj5trFoSpSK4Gr5iwKOJQQ8Mdam1ZfXH9WEwy0NyXf+Vi4YT2NEcu1tOwXe2+IbYDjgzu1a0AQ7mslcjXJZG3utOe/4JK5NwtUEk5gsDZiJqHG37gu+8p6agobIYbZ4Abi+hCF8AQ+Xx+vnuvltMeOjwuCBbLxk7T6GOAuvjWitaY6ocuQ1NR9sGsj62wiybeO7bae9j1LTRfcVGm4+KAA4fGwxjv/z6AgVoxSgaxFQp+XXphl1MVuwbT4b65WY5N4u3OZJpIxOPWXK/sHimoydhyu2qsVXcKc3qrO7Sj6L+mUuBFoWUkN7EsTjy8472ew4HKW/mSGGSbvbKSpKEXKroRCZnOFBRLtq0HzhwvcSJmaQDYH2A0ffcMdWW92JBthGeR5bvdAptR8ylZzeKyZ9izSUSsCR7W/ftI3OCCW1W393dfIFjT//WFDzDEl+jZEfv5sEMQ3BjF2/rI8C8Dw4xcFyzON6ReUNr/Sm7mww1Hjom9JF+TbiUT1lmuRkxENWDoYhubGO2Dhwfqo8RKpkpiR+YpZmiJbNoVZuJqqkcyeXYaOyoN5j/nS+qYdE5VYUjR1pr/GBzEgolOYkwSvOmsMtKx5f66HZ45QgR98f7OZF6c8RfQbkfrSo09l+5VLS0NjZPAnFg8SRVLODLTfFnsIWV0qtIRjb/DDvGVd4ZwBE27ld2+MdFWZWRmG40PtOEj9G88EhQIWlecWQIOFrp899nl5JvhJSd9PWnyKtRC9DqXruQ4HhPAY/6pDZ8ezkQt/3/3QGtAvlEo+NAbsuJYs0YHEJY2CPaP6eKUVc4dN0NQg6zITsfsZKQBPSA99h1Nr0B/APk56DlclcLBECd57jzMBikoWh0JMdwOlqK9BWmIk4NJ1/hSYMLXC3qX5xypeUQe60VNZhav29edBgCkyokxtFZlLNFGmuxSQuCdip8TrQ0cSsi+Q2bE2xZ2XrqXYbrgcU1wqDQLPSOcR4/bB4Pt97Pt0RNN9+M38tuPnakcW55H6G06/c/fzzxQf3c3XKTrBZVylEVXQvo0TUkw8u60k2Vi6M7zr8HM0ULhP1CDM8436PBDoLY5dgKxaTqxbNxpzqsrgbJPUyDaNtMRPfUcxN+MV3N1bgpLzE0GMs4tanlnTMGLj9IH3psLiETYppnrYWPhDkvqyqco3sn60qY51+tq0+SY1nI6XENCFJ3DYrilTZez9EJzSQbWXxiHsuNPT88ZXrNTOwRyxUtMzU2QypETQ8qaIJLQW90mGth2PjJaujcXFpVF6DmhHJyUSVJo4PQrsp3qB4vSo6LG4NYuniqNcpmRBAPnbZEkQVrIKgvCU5taY4KcAy1S8Imv1TxPksgOYQxyvxi9vQXj4EBmQE3QWALgQ0bixvIV2nJZOSd8DdN5Nc+p0VDZGNdu84+XXnGzQiKNQl0w5tEQpV5XF2bgnFj/SF83ECk=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZFTp1Rs3YO7npWs7fRTG+Hhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZmnprr55+pi5rF3kRvBseKt/zI2GesjGtNYb1rQBibtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO4JIUJo5FhwNYoDBPInKY+DO5AAL6fhWEzg6trLg3uxA9KyQ7/ZijpCxFb3qzLZeak1wcZNHQARhaKOTmD1j7gLX9ZmUXfmSz3QV9n27J7lo2wqHJXVdHpIjf5fBAcYsBiP2hNgH9AQyDCiKYGErrtc0j2BYRMPpGkHsYOIL8=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/6fa755ca9d8583c1
Signatures
-
GandCrab Payload 1 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 32 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604.exe"C:\Users\Admin\AppData\Local\Temp\463dac638934df6e6bc4be2b7b8f796befbafae68cb465eb85a90da39de75604.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3436-115-0x0000000000000000-mapping.dmp
-
memory/3680-114-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB