Analysis
-
max time kernel
129s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:57
Static task
static1
Behavioral task
behavioral1
Sample
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe
Resource
win10-en-20210920
General
-
Target
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe
-
Size
656KB
-
MD5
538d23ef01426d1157fa1137471a5cf7
-
SHA1
ab553df2bb4f7f8d98cc39ac773aaaa1c7ca110f
-
SHA256
af8e74d00babaae01b6f3b137cff7b6a6951456c66ffa95122695dad6c7b41a9
-
SHA512
9df42f3c39a8982bc77c82010509c3e98cc56c2d71c6f5f20274c0fbde17c58607d9579877983e2239d30fd60be14402b2b9e3d9295168a3cc8d31ac8f4a1111
Malware Config
Extracted
C:\KSPREIW-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/9dd5ac38f623035
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnableConfirm.tiff 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\NewHide.crw => C:\Users\Admin\Pictures\NewHide.crw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\ProtectLimit.raw => C:\Users\Admin\Pictures\ProtectLimit.raw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\SaveDeny.png => C:\Users\Admin\Pictures\SaveDeny.png.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\GrantJoin.png => C:\Users\Admin\Pictures\GrantJoin.png.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\UnprotectUpdate.raw => C:\Users\Admin\Pictures\UnprotectUpdate.raw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\InvokeUndo.crw => C:\Users\Admin\Pictures\InvokeUndo.crw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\PingFind.tif => C:\Users\Admin\Pictures\PingFind.tif.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\ClearSuspend.raw => C:\Users\Admin\Pictures\ClearSuspend.raw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\ExpandSave.crw => C:\Users\Admin\Pictures\ExpandSave.crw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Users\Admin\Pictures\ExportExpand.tiff 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\ExportExpand.tiff => C:\Users\Admin\Pictures\ExportExpand.tiff.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\EnableConfirm.tiff => C:\Users\Admin\Pictures\EnableConfirm.tiff.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File renamed C:\Users\Admin\Pictures\InitializeLimit.raw => C:\Users\Admin\Pictures\InitializeLimit.raw.kspreiw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Drops startup file 2 IoCs
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KSPREIW-MANUAL.txt 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8f6237d58f62303941c.lock 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exedescription ioc process File opened (read-only) \??\B: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\Q: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\Z: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\N: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\O: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\R: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\W: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\Y: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\E: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\J: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\L: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\S: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\V: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\X: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\A: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\F: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\M: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\K: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\P: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\T: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\U: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\G: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\H: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened (read-only) \??\I: 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Drops file in Program Files directory 25 IoCs
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exedescription ioc process File created C:\Program Files\KSPREIW-MANUAL.txt 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\SendMerge.cfg 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\UninstallInvoke.htm 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\UsePush.txt 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File created C:\Program Files (x86)\KSPREIW-MANUAL.txt 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File created C:\Program Files (x86)\8f6237d58f62303941c.lock 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\SkipMove.xht 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\ClosePublish.jpeg 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\DismountUndo.wps 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\PingJoin.wmf 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\RegisterConfirm.jpeg 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\RestoreUnblock.wmv 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\ResumeInvoke.eprtx 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\SaveUnlock.dib 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\CompareUnblock.html 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\FormatSave.tiff 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\HideSet.mp4 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\TraceClear.shtml 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\WatchTrace.css 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File created C:\Program Files\8f6237d58f62303941c.lock 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\CheckpointFind.potx 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\CompressOut.wmf 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\ExitEnter.doc 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\JoinUpdate.vdw 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe File opened for modification C:\Program Files\SearchResize.cr2 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exepid process 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2412 vssvc.exe Token: SeRestorePrivilege 2412 vssvc.exe Token: SeAuditPrivilege 2412 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2019-05-22-Rig-EK-payload-Gandcrab-ransomware.execmd.exedescription pid process target process PID 2584 wrote to memory of 1808 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe cmd.exe PID 2584 wrote to memory of 1808 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe cmd.exe PID 2584 wrote to memory of 1808 2584 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe cmd.exe PID 1808 wrote to memory of 68 1808 cmd.exe vssadmin.exe PID 1808 wrote to memory of 68 1808 cmd.exe vssadmin.exe PID 1808 wrote to memory of 68 1808 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s TapiSrv1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\KSPREIW-MANUAL.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\KSPREIW-MANUAL.txtMD5
bfdac2e89d6d76a40416770da4b2399a
SHA118825238f8f5f59d91c066f212d20690fb22658f
SHA256dc1a103184deb9fcff751b3956dfde357fb0b8668d64846df22aeb686b938b75
SHA51281b195c4d465c72f0386b28b1388f9896a666b0c9d865a6ccb8a0bf660cc52c9c566782c41097a69dbbac341b6f1a49a675708173a6a1e005a89883d997881ec
-
memory/68-119-0x0000000000000000-mapping.dmp
-
memory/1808-118-0x0000000000000000-mapping.dmp
-
memory/2584-115-0x0000000000730000-0x0000000000740000-memory.dmpFilesize
64KB
-
memory/2584-116-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/2584-117-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB