Analysis
-
max time kernel
18s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe
Resource
win10v20210410
General
-
Target
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe
-
Size
205KB
-
MD5
97a910c50171124f2cd8cfc7a4f2fa4f
-
SHA1
3737d782cb64fa92d2c42f3c2857ee2295dc8aa4
-
SHA256
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23
-
SHA512
cb0d9eb3bdeeb533e258473187d6dc17515de7d790fbeb5238e4eb0aeeb793bca8bf1bcda4a1c384cd6a488155e90f08a9e82846a08958c4f53de4b5e57e8844
Malware Config
Extracted
C:\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/348c7f23c310f499
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1816-61-0x0000000000400000-0x0000000000439000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\InitializeExport.raw => C:\Users\Admin\Pictures\InitializeExport.raw.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\ProtectNew.crw => C:\Users\Admin\Pictures\ProtectNew.crw.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\StepCompare.png => C:\Users\Admin\Pictures\StepCompare.png.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 392 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File opened (read-only) \??\K: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\N: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\O: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\T: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\W: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\H: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\J: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\Q: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\S: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\U: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\V: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\Z: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\B: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\L: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\M: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\Y: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\E: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\I: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\G: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\P: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\R: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\X: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\A: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\F: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Drops file in Program Files directory 36 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files\c310f379c310f498612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\BackupUnprotect.bin ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CompressApprove.ps1 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\DismountGet.xla ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\JoinFind.pptm ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\LockLimit.html ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\c310f379c310f498612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CompressRestore.vsx ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\ConfirmStep.eps ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\DisconnectCompress.jpg ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\WriteDeny.dotx ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\ConvertPush.wmv ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\MergeInvoke.vsdx ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RenameEnter.M2TS ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RepairConvertFrom.wma ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\TraceDisconnect.mhtml ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\MergeStart.docm ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RepairRemove.pptm ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\c310f379c310f498612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\AssertJoin.wmv ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CheckpointRevoke.midi ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CompareLimit.pptx ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\DismountProtect.docx ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CompareLock.mht ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\LockResume.emz ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\WriteWatch.crw ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\ImportSave.ram ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c310f379c310f498612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c310f379c310f498612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\SaveConfirm.wmv ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\UndoClear.vstm ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1084 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exepid process 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 336 wmic.exe Token: SeSecurityPrivilege 336 wmic.exe Token: SeTakeOwnershipPrivilege 336 wmic.exe Token: SeLoadDriverPrivilege 336 wmic.exe Token: SeSystemProfilePrivilege 336 wmic.exe Token: SeSystemtimePrivilege 336 wmic.exe Token: SeProfSingleProcessPrivilege 336 wmic.exe Token: SeIncBasePriorityPrivilege 336 wmic.exe Token: SeCreatePagefilePrivilege 336 wmic.exe Token: SeBackupPrivilege 336 wmic.exe Token: SeRestorePrivilege 336 wmic.exe Token: SeShutdownPrivilege 336 wmic.exe Token: SeDebugPrivilege 336 wmic.exe Token: SeSystemEnvironmentPrivilege 336 wmic.exe Token: SeRemoteShutdownPrivilege 336 wmic.exe Token: SeUndockPrivilege 336 wmic.exe Token: SeManageVolumePrivilege 336 wmic.exe Token: 33 336 wmic.exe Token: 34 336 wmic.exe Token: 35 336 wmic.exe Token: SeIncreaseQuotaPrivilege 336 wmic.exe Token: SeSecurityPrivilege 336 wmic.exe Token: SeTakeOwnershipPrivilege 336 wmic.exe Token: SeLoadDriverPrivilege 336 wmic.exe Token: SeSystemProfilePrivilege 336 wmic.exe Token: SeSystemtimePrivilege 336 wmic.exe Token: SeProfSingleProcessPrivilege 336 wmic.exe Token: SeIncBasePriorityPrivilege 336 wmic.exe Token: SeCreatePagefilePrivilege 336 wmic.exe Token: SeBackupPrivilege 336 wmic.exe Token: SeRestorePrivilege 336 wmic.exe Token: SeShutdownPrivilege 336 wmic.exe Token: SeDebugPrivilege 336 wmic.exe Token: SeSystemEnvironmentPrivilege 336 wmic.exe Token: SeRemoteShutdownPrivilege 336 wmic.exe Token: SeUndockPrivilege 336 wmic.exe Token: SeManageVolumePrivilege 336 wmic.exe Token: 33 336 wmic.exe Token: 34 336 wmic.exe Token: 35 336 wmic.exe Token: SeBackupPrivilege 924 vssvc.exe Token: SeRestorePrivilege 924 vssvc.exe Token: SeAuditPrivilege 924 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.execmd.exedescription pid process target process PID 1816 wrote to memory of 336 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 1816 wrote to memory of 336 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 1816 wrote to memory of 336 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 1816 wrote to memory of 336 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 1816 wrote to memory of 392 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 1816 wrote to memory of 392 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 1816 wrote to memory of 392 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 1816 wrote to memory of 392 1816 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 392 wrote to memory of 1084 392 cmd.exe timeout.exe PID 392 wrote to memory of 1084 392 cmd.exe timeout.exe PID 392 wrote to memory of 1084 392 cmd.exe timeout.exe PID 392 wrote to memory of 1084 392 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe"C:\Users\Admin\AppData\Local\Temp\ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\AppData\Local\Temp\ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe" /f /q2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -c 53⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-62-0x0000000000000000-mapping.dmp
-
memory/392-63-0x0000000000000000-mapping.dmp
-
memory/1084-64-0x0000000000000000-mapping.dmp
-
memory/1816-60-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/1816-61-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB