Analysis
-
max time kernel
91s -
max time network
100s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 09:16
Static task
static1
General
-
Target
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe
-
Size
168KB
-
MD5
700a4f7ed40dd9ac29891c2ec3d4bef7
-
SHA1
1546e3bbe9eb3e6b185097226bb758d98a207429
-
SHA256
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f
-
SHA512
1b615297f445eb4c3909e46191834450191b6e9716a83c380a02db6566dd96431f6e2271c01508d3f271af0b4fbfff31b485e1fc6bf952a4b2177aa41fb65c0a
Malware Config
Extracted
C:\ZVRYIONLNM-DECRYPT.txt
http://gandcrabmfe6mnef.onion/53559f29a53d0f6d
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressWait.raw => C:\Users\Admin\Pictures\CompressWait.raw.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File renamed C:\Users\Admin\Pictures\InitializeStart.raw => C:\Users\Admin\Pictures\InitializeStart.raw.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File renamed C:\Users\Admin\Pictures\RemoveStep.crw => C:\Users\Admin\Pictures\RemoveStep.crw.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File renamed C:\Users\Admin\Pictures\CloseGroup.png => C:\Users\Admin\Pictures\CloseGroup.png.zvryionlnm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Drops startup file 2 IoCs
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ZVRYIONLNM-DECRYPT.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\a53d088da53d0f6141c.lock 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process File opened (read-only) \??\W: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\X: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\Y: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\B: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\F: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\M: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\Q: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\R: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\T: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\V: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\Z: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\H: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\L: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\P: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\J: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\K: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\N: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\O: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\S: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\A: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\E: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\G: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\I: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened (read-only) \??\U: 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Drops file in Program Files directory 23 IoCs
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process File opened for modification C:\Program Files\UnprotectStart.iso 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\MeasureInitialize.iso 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\RemoveStop.DVR-MS 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\UnblockSubmit.ppt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\UndoImport.ini 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files\a53d088da53d0f6141c.lock 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\EditConvert.dot 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\EnterStart.temp 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\InitializeCompress.eprtx 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files (x86)\ZVRYIONLNM-DECRYPT.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files (x86)\a53d088da53d0f6141c.lock 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\DebugUnprotect.mpv2 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\HideUnblock.mp2v 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\AddCheckpoint.docm 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\AssertWrite.7z 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\CompressSwitch.ods 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\ConfirmWait.WTV 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\NewShow.wma 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\StopConfirm.ods 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File created C:\Program Files\ZVRYIONLNM-DECRYPT.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\AssertStep.ppsx 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\ExitSearch.potx 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe File opened for modification C:\Program Files\ImportRevoke.txt 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exepid process 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2128 wmic.exe Token: SeSecurityPrivilege 2128 wmic.exe Token: SeTakeOwnershipPrivilege 2128 wmic.exe Token: SeLoadDriverPrivilege 2128 wmic.exe Token: SeSystemProfilePrivilege 2128 wmic.exe Token: SeSystemtimePrivilege 2128 wmic.exe Token: SeProfSingleProcessPrivilege 2128 wmic.exe Token: SeIncBasePriorityPrivilege 2128 wmic.exe Token: SeCreatePagefilePrivilege 2128 wmic.exe Token: SeBackupPrivilege 2128 wmic.exe Token: SeRestorePrivilege 2128 wmic.exe Token: SeShutdownPrivilege 2128 wmic.exe Token: SeDebugPrivilege 2128 wmic.exe Token: SeSystemEnvironmentPrivilege 2128 wmic.exe Token: SeRemoteShutdownPrivilege 2128 wmic.exe Token: SeUndockPrivilege 2128 wmic.exe Token: SeManageVolumePrivilege 2128 wmic.exe Token: 33 2128 wmic.exe Token: 34 2128 wmic.exe Token: 35 2128 wmic.exe Token: 36 2128 wmic.exe Token: SeIncreaseQuotaPrivilege 2128 wmic.exe Token: SeSecurityPrivilege 2128 wmic.exe Token: SeTakeOwnershipPrivilege 2128 wmic.exe Token: SeLoadDriverPrivilege 2128 wmic.exe Token: SeSystemProfilePrivilege 2128 wmic.exe Token: SeSystemtimePrivilege 2128 wmic.exe Token: SeProfSingleProcessPrivilege 2128 wmic.exe Token: SeIncBasePriorityPrivilege 2128 wmic.exe Token: SeCreatePagefilePrivilege 2128 wmic.exe Token: SeBackupPrivilege 2128 wmic.exe Token: SeRestorePrivilege 2128 wmic.exe Token: SeShutdownPrivilege 2128 wmic.exe Token: SeDebugPrivilege 2128 wmic.exe Token: SeSystemEnvironmentPrivilege 2128 wmic.exe Token: SeRemoteShutdownPrivilege 2128 wmic.exe Token: SeUndockPrivilege 2128 wmic.exe Token: SeManageVolumePrivilege 2128 wmic.exe Token: 33 2128 wmic.exe Token: 34 2128 wmic.exe Token: 35 2128 wmic.exe Token: 36 2128 wmic.exe Token: SeBackupPrivilege 608 vssvc.exe Token: SeRestorePrivilege 608 vssvc.exe Token: SeAuditPrivilege 608 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exedescription pid process target process PID 2276 wrote to memory of 2128 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe wmic.exe PID 2276 wrote to memory of 2128 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe wmic.exe PID 2276 wrote to memory of 2128 2276 872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe"C:\Users\Admin\AppData\Local\Temp\872bf2c276fe3242513c2ed1b254a5ab3c0dea273dde944c05b711697811753f.sample.exe"Modifies extensions of user filesDrops startup fileEnumerates connected drivesSets desktop wallpaper using registryDrops file in Program Files directoryChecks processor information in registryModifies system certificate storeSuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Data from Local System
1Command and Control
Credential Access
Credentials in Files
1Discovery
Query Registry
2System Information Discovery
3Peripheral Device Discovery
1Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
memory/2128-115-0x0000000000000000-mapping.dmp