Analysis
-
max time kernel
46s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe
Resource
win10v20210410
General
-
Target
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe
-
Size
99KB
-
MD5
78efe80384fa759964c9ea8bada3ac8d
-
SHA1
6300dca046dee2d99f8429bdb9b5f3edc4d5ec1c
-
SHA256
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9
-
SHA512
faab33afd525d4dee0497096f8cd07c748d98d6b3337d0616740495e6dde2d3b6a4bfb4aadfc2ac032ea5d6e065fc17b0addb4a1fe01878868d39d5d7c282dbc
Malware Config
Extracted
C:\HHZLMFN-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/8b5050ff5179efd
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\DismountTrace.png => C:\Users\Admin\Pictures\DismountTrace.png.hhzlmfn 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\PublishSync.crw => C:\Users\Admin\Pictures\PublishSync.crw.hhzlmfn 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\ShowCompress.raw => C:\Users\Admin\Pictures\ShowCompress.raw.hhzlmfn 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\UnpublishLimit.tif => C:\Users\Admin\Pictures\UnpublishLimit.tif.hhzlmfn 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\CloseInvoke.png => C:\Users\Admin\Pictures\CloseInvoke.png.hhzlmfn 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File renamed C:\Users\Admin\Pictures\DismountRename.png => C:\Users\Admin\Pictures\DismountRename.png.hhzlmfn 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Drops startup file 2 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HHZLMFN-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\f517991df5179efc612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File opened (read-only) \??\Y: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\A: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\E: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\F: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\M: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\P: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\Q: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\X: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\Z: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\U: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\B: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\J: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\K: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\L: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\N: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\O: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\T: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\V: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\W: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\H: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\I: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\G: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\R: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened (read-only) \??\S: 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Drops file in Program Files directory 24 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process File opened for modification C:\Program Files\EnableSkip.cfg 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\InvokeShow.mhtml 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RenameUndo.wmx 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\ResumeOut.vst 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\CompareBlock.wmf 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RenameUse.css 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RepairLimit.au 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RevokeOut.xltm 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\UnblockUpdate.pcx 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\WaitCompare.bmp 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\f517991df5179efc612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\EditOut.jpg 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\ExportTrace.emf 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RemoveAssert.wmf 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\SwitchApprove.mp4 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\UseLock.rtf 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files\HHZLMFN-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\BackupUnpublish.tif 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\DenyResolve.jpeg 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\InstallComplete.tif 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RegisterClose.mpeg3 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File opened for modification C:\Program Files\RemoveResume.ttf 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files (x86)\HHZLMFN-DECRYPT.txt 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe File created C:\Program Files\f517991df5179efc612.lock 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exepid process 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exewmic.exevssvc.exedescription pid process Token: SeDebugPrivilege 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe Token: SeIncreaseQuotaPrivilege 1960 wmic.exe Token: SeSecurityPrivilege 1960 wmic.exe Token: SeTakeOwnershipPrivilege 1960 wmic.exe Token: SeLoadDriverPrivilege 1960 wmic.exe Token: SeSystemProfilePrivilege 1960 wmic.exe Token: SeSystemtimePrivilege 1960 wmic.exe Token: SeProfSingleProcessPrivilege 1960 wmic.exe Token: SeIncBasePriorityPrivilege 1960 wmic.exe Token: SeCreatePagefilePrivilege 1960 wmic.exe Token: SeBackupPrivilege 1960 wmic.exe Token: SeRestorePrivilege 1960 wmic.exe Token: SeShutdownPrivilege 1960 wmic.exe Token: SeDebugPrivilege 1960 wmic.exe Token: SeSystemEnvironmentPrivilege 1960 wmic.exe Token: SeRemoteShutdownPrivilege 1960 wmic.exe Token: SeUndockPrivilege 1960 wmic.exe Token: SeManageVolumePrivilege 1960 wmic.exe Token: 33 1960 wmic.exe Token: 34 1960 wmic.exe Token: 35 1960 wmic.exe Token: 36 1960 wmic.exe Token: SeIncreaseQuotaPrivilege 1960 wmic.exe Token: SeSecurityPrivilege 1960 wmic.exe Token: SeTakeOwnershipPrivilege 1960 wmic.exe Token: SeLoadDriverPrivilege 1960 wmic.exe Token: SeSystemProfilePrivilege 1960 wmic.exe Token: SeSystemtimePrivilege 1960 wmic.exe Token: SeProfSingleProcessPrivilege 1960 wmic.exe Token: SeIncBasePriorityPrivilege 1960 wmic.exe Token: SeCreatePagefilePrivilege 1960 wmic.exe Token: SeBackupPrivilege 1960 wmic.exe Token: SeRestorePrivilege 1960 wmic.exe Token: SeShutdownPrivilege 1960 wmic.exe Token: SeDebugPrivilege 1960 wmic.exe Token: SeSystemEnvironmentPrivilege 1960 wmic.exe Token: SeRemoteShutdownPrivilege 1960 wmic.exe Token: SeUndockPrivilege 1960 wmic.exe Token: SeManageVolumePrivilege 1960 wmic.exe Token: 33 1960 wmic.exe Token: 34 1960 wmic.exe Token: 35 1960 wmic.exe Token: 36 1960 wmic.exe Token: SeBackupPrivilege 200 vssvc.exe Token: SeRestorePrivilege 200 vssvc.exe Token: SeAuditPrivilege 200 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exedescription pid process target process PID 348 wrote to memory of 1960 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe PID 348 wrote to memory of 1960 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe PID 348 wrote to memory of 1960 348 329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe"C:\Users\Admin\AppData\Local\Temp\329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1960-114-0x0000000000000000-mapping.dmp