Analysis
-
max time kernel
46s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe
Resource
win10v20210410
General
-
Target
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe
-
Size
99KB
-
MD5
78efe80384fa759964c9ea8bada3ac8d
-
SHA1
6300dca046dee2d99f8429bdb9b5f3edc4d5ec1c
-
SHA256
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
-
SHA512
faab33afd525d4dee0497096f8cd07c748d98d6b3337d0616740495e6dde2d3b6a4bfb4aadfc2ac032ea5d6e065fc17b0addb4a1fe01878868d39d5d7c282dbc
Malware Config
Extracted
C:\ICWAZKLCY-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/6de1c63a42679636
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitEnter.png => C:\Users\Admin\Pictures\ExitEnter.png.icwazklcy 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\GroupInstall.raw => C:\Users\Admin\Pictures\GroupInstall.raw.icwazklcy 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Users\Admin\Pictures\TestGet.tiff 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\TestGet.tiff => C:\Users\Admin\Pictures\TestGet.tiff.icwazklcy 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File opened (read-only) \??\U: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\V: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\K: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\L: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\M: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\O: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\P: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\S: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\B: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\E: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\J: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\R: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\G: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\H: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\N: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\Q: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\W: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\Z: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\A: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\F: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\I: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\T: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\X: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\Y: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Drops file in Program Files directory 23 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File opened for modification C:\Program Files\EnterResume.odp 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\GetUse.mov 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\OptimizeRevoke.docx 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\ReadSubmit.m1v 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RegisterRead.wvx 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\ICWAZKLCY-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files\426791d642679637612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\ConnectUpdate.reg 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\PushApprove.wps 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\ResumeExpand.sql 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\WaitUse.3gp 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ICWAZKLCY-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files\ICWAZKLCY-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\PopConfirm.docm 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\SelectAssert.rtf 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\426791d642679637612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ICWAZKLCY-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\426791d642679637612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ICWAZKLCY-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\426791d642679637612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\DisablePush.mpv2 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\426791d642679637612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\LockRestart.raw 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exepid process 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exewmic.exevssvc.exedescription pid process Token: SeDebugPrivilege 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe Token: SeIncreaseQuotaPrivilege 764 wmic.exe Token: SeSecurityPrivilege 764 wmic.exe Token: SeTakeOwnershipPrivilege 764 wmic.exe Token: SeLoadDriverPrivilege 764 wmic.exe Token: SeSystemProfilePrivilege 764 wmic.exe Token: SeSystemtimePrivilege 764 wmic.exe Token: SeProfSingleProcessPrivilege 764 wmic.exe Token: SeIncBasePriorityPrivilege 764 wmic.exe Token: SeCreatePagefilePrivilege 764 wmic.exe Token: SeBackupPrivilege 764 wmic.exe Token: SeRestorePrivilege 764 wmic.exe Token: SeShutdownPrivilege 764 wmic.exe Token: SeDebugPrivilege 764 wmic.exe Token: SeSystemEnvironmentPrivilege 764 wmic.exe Token: SeRemoteShutdownPrivilege 764 wmic.exe Token: SeUndockPrivilege 764 wmic.exe Token: SeManageVolumePrivilege 764 wmic.exe Token: 33 764 wmic.exe Token: 34 764 wmic.exe Token: 35 764 wmic.exe Token: SeIncreaseQuotaPrivilege 764 wmic.exe Token: SeSecurityPrivilege 764 wmic.exe Token: SeTakeOwnershipPrivilege 764 wmic.exe Token: SeLoadDriverPrivilege 764 wmic.exe Token: SeSystemProfilePrivilege 764 wmic.exe Token: SeSystemtimePrivilege 764 wmic.exe Token: SeProfSingleProcessPrivilege 764 wmic.exe Token: SeIncBasePriorityPrivilege 764 wmic.exe Token: SeCreatePagefilePrivilege 764 wmic.exe Token: SeBackupPrivilege 764 wmic.exe Token: SeRestorePrivilege 764 wmic.exe Token: SeShutdownPrivilege 764 wmic.exe Token: SeDebugPrivilege 764 wmic.exe Token: SeSystemEnvironmentPrivilege 764 wmic.exe Token: SeRemoteShutdownPrivilege 764 wmic.exe Token: SeUndockPrivilege 764 wmic.exe Token: SeManageVolumePrivilege 764 wmic.exe Token: 33 764 wmic.exe Token: 34 764 wmic.exe Token: 35 764 wmic.exe Token: SeBackupPrivilege 1960 vssvc.exe Token: SeRestorePrivilege 1960 vssvc.exe Token: SeAuditPrivilege 1960 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription pid process target process PID 748 wrote to memory of 764 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe PID 748 wrote to memory of 764 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe PID 748 wrote to memory of 764 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe PID 748 wrote to memory of 764 748 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe"C:\Users\Admin\AppData\Local\Temp\329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken