Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe
Resource
win10v20210410
General
-
Target
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe
-
Size
205KB
-
MD5
97a910c50171124f2cd8cfc7a4f2fa4f
-
SHA1
3737d782cb64fa92d2c42f3c2857ee2295dc8aa4
-
SHA256
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23
-
SHA512
cb0d9eb3bdeeb533e258473187d6dc17515de7d790fbeb5238e4eb0aeeb793bca8bf1bcda4a1c384cd6a488155e90f08a9e82846a08958c4f53de4b5e57e8844
Malware Config
Extracted
C:\KRAB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/8d238d4aa15b504b
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3540-114-0x0000000000400000-0x0000000000439000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountExport.tiff => C:\Users\Admin\Pictures\MountExport.tiff.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Users\Admin\Pictures\OutCheckpoint.tiff ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\OutCheckpoint.tiff => C:\Users\Admin\Pictures\OutCheckpoint.tiff.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\RemoveConvertFrom.raw => C:\Users\Admin\Pictures\RemoveConvertFrom.raw.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\RevokeDeny.crw => C:\Users\Admin\Pictures\RevokeDeny.crw.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\UnblockRestore.tif => C:\Users\Admin\Pictures\UnblockRestore.tif.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File renamed C:\Users\Admin\Pictures\ExpandGroup.tif => C:\Users\Admin\Pictures\ExpandGroup.tif.KRAB ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Users\Admin\Pictures\MountExport.tiff ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Drops startup file 2 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\a15b57aba15b504a612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File opened (read-only) \??\N: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\R: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\X: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\Z: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\B: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\F: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\I: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\J: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\V: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\Y: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\K: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\P: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\Q: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\S: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\T: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\A: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\G: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\H: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\U: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\O: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\W: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\E: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\L: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened (read-only) \??\M: ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Drops file in Program Files directory 24 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process File opened for modification C:\Program Files\UnregisterLock.dwg ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\JoinReset.rar ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RegisterSelect.js ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RestartTest.xml ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CompressUnblock.png ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\DenyDismount.svgz ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\EditMeasure.asp ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\GrantMeasure.jpg ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\OpenConnect.ps1 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files\a15b57aba15b504a612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\ClearRestore.rmi ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RenameUndo.css ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\SwitchUnregister.xps ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\KRAB-DECRYPT.txt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\RestartStep.odt ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\StopJoin.DVR ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\AddGet.mov ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\CopyRedo.potx ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\GetConfirm.xml ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File created C:\Program Files (x86)\a15b57aba15b504a612.lock ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\PushEnable.eps ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\SkipInvoke.M2TS ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe File opened for modification C:\Program Files\SubmitImport.shtml ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2876 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exepid process 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3532 wmic.exe Token: SeSecurityPrivilege 3532 wmic.exe Token: SeTakeOwnershipPrivilege 3532 wmic.exe Token: SeLoadDriverPrivilege 3532 wmic.exe Token: SeSystemProfilePrivilege 3532 wmic.exe Token: SeSystemtimePrivilege 3532 wmic.exe Token: SeProfSingleProcessPrivilege 3532 wmic.exe Token: SeIncBasePriorityPrivilege 3532 wmic.exe Token: SeCreatePagefilePrivilege 3532 wmic.exe Token: SeBackupPrivilege 3532 wmic.exe Token: SeRestorePrivilege 3532 wmic.exe Token: SeShutdownPrivilege 3532 wmic.exe Token: SeDebugPrivilege 3532 wmic.exe Token: SeSystemEnvironmentPrivilege 3532 wmic.exe Token: SeRemoteShutdownPrivilege 3532 wmic.exe Token: SeUndockPrivilege 3532 wmic.exe Token: SeManageVolumePrivilege 3532 wmic.exe Token: 33 3532 wmic.exe Token: 34 3532 wmic.exe Token: 35 3532 wmic.exe Token: 36 3532 wmic.exe Token: SeIncreaseQuotaPrivilege 3532 wmic.exe Token: SeSecurityPrivilege 3532 wmic.exe Token: SeTakeOwnershipPrivilege 3532 wmic.exe Token: SeLoadDriverPrivilege 3532 wmic.exe Token: SeSystemProfilePrivilege 3532 wmic.exe Token: SeSystemtimePrivilege 3532 wmic.exe Token: SeProfSingleProcessPrivilege 3532 wmic.exe Token: SeIncBasePriorityPrivilege 3532 wmic.exe Token: SeCreatePagefilePrivilege 3532 wmic.exe Token: SeBackupPrivilege 3532 wmic.exe Token: SeRestorePrivilege 3532 wmic.exe Token: SeShutdownPrivilege 3532 wmic.exe Token: SeDebugPrivilege 3532 wmic.exe Token: SeSystemEnvironmentPrivilege 3532 wmic.exe Token: SeRemoteShutdownPrivilege 3532 wmic.exe Token: SeUndockPrivilege 3532 wmic.exe Token: SeManageVolumePrivilege 3532 wmic.exe Token: 33 3532 wmic.exe Token: 34 3532 wmic.exe Token: 35 3532 wmic.exe Token: 36 3532 wmic.exe Token: SeBackupPrivilege 1428 vssvc.exe Token: SeRestorePrivilege 1428 vssvc.exe Token: SeAuditPrivilege 1428 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.execmd.exedescription pid process target process PID 3540 wrote to memory of 3532 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 3540 wrote to memory of 3532 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 3540 wrote to memory of 3532 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe wmic.exe PID 3540 wrote to memory of 2928 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 3540 wrote to memory of 2928 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 3540 wrote to memory of 2928 3540 ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe cmd.exe PID 2928 wrote to memory of 2876 2928 cmd.exe timeout.exe PID 2928 wrote to memory of 2876 2928 cmd.exe timeout.exe PID 2928 wrote to memory of 2876 2928 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe"C:\Users\Admin\AppData\Local\Temp\ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\Admin\AppData\Local\Temp\ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23.sample.exe" /f /q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -c 53⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken