gandcrab | 330097c6070ef1e4f773d87c0e53e64ca41dc5bbc22acd4ccece890ddd953b2c

Analysis

max time kernel
153s
max time network
158s
platform
windows10_x64
resource
win10-en-20211104
submitted
02-12-2021 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GandCrab.bin.exe
Size

183KB
MD5

07fadb006486953439ce0092651fd7a6
SHA1

e42431d37561cc695de03b85e8e99c9e31321742
SHA256

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0
SHA512

5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437

Score

10^/10

gandcrab backdoor ransomware spyware stealer suricata

Malware Config

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ClearUnregister.raw => C:\Users\Admin\Pictures\ClearUnregister.raw.uwsie	GandCrab.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertOpen.tif => C:\Users\Admin\Pictures\ConvertOpen.tif.uwsie	GandCrab.bin.exe
File renamed	C:\Users\Admin\Pictures\AssertUndo.crw => C:\Users\Admin\Pictures\AssertUndo.crw.uwsie	GandCrab.bin.exe
File renamed	C:\Users\Admin\Pictures\ClearRead.crw => C:\Users\Admin\Pictures\ClearRead.crw.uwsie	GandCrab.bin.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\UWSIE-DECRYPT.html	GandCrab.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\da722250da7225ba7d.lock	GandCrab.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	GandCrab.bin.exe
File opened (read-only)	\??\J:	GandCrab.bin.exe
File opened (read-only)	\??\M:	GandCrab.bin.exe
File opened (read-only)	\??\P:	GandCrab.bin.exe
File opened (read-only)	\??\Q:	GandCrab.bin.exe
File opened (read-only)	\??\S:	GandCrab.bin.exe
File opened (read-only)	\??\H:	GandCrab.bin.exe
File opened (read-only)	\??\N:	GandCrab.bin.exe
File opened (read-only)	\??\V:	GandCrab.bin.exe
File opened (read-only)	\??\X:	GandCrab.bin.exe
File opened (read-only)	\??\Z:	GandCrab.bin.exe
File opened (read-only)	\??\B:	GandCrab.bin.exe
File opened (read-only)	\??\G:	GandCrab.bin.exe
File opened (read-only)	\??\W:	GandCrab.bin.exe
File opened (read-only)	\??\R:	GandCrab.bin.exe
File opened (read-only)	\??\T:	GandCrab.bin.exe
File opened (read-only)	\??\E:	GandCrab.bin.exe
File opened (read-only)	\??\F:	GandCrab.bin.exe
File opened (read-only)	\??\I:	GandCrab.bin.exe
File opened (read-only)	\??\K:	GandCrab.bin.exe
File opened (read-only)	\??\L:	GandCrab.bin.exe
File opened (read-only)	\??\O:	GandCrab.bin.exe
File opened (read-only)	\??\U:	GandCrab.bin.exe
File opened (read-only)	\??\Y:	GandCrab.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	GandCrab.bin.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\EditImport.sql	GandCrab.bin.exe
File opened for modification	C:\Program Files\ImportOut.wav	GandCrab.bin.exe
File opened for modification	C:\Program Files\RenameConvert.html	GandCrab.bin.exe
File opened for modification	C:\Program Files\RequestClose.xhtml	GandCrab.bin.exe
File opened for modification	C:\Program Files\UnprotectAssert.m4a	GandCrab.bin.exe
File opened for modification	C:\Program Files\ExitGrant.vst	GandCrab.bin.exe
File opened for modification	C:\Program Files\ReadSend.pcx	GandCrab.bin.exe
File opened for modification	C:\Program Files\SplitSwitch.asf	GandCrab.bin.exe
File opened for modification	C:\Program Files\UnregisterCompare.html	GandCrab.bin.exe
File opened for modification	C:\Program Files\UnregisterSkip.cfg	GandCrab.bin.exe
File created	C:\Program Files (x86)\da722250da7225ba7d.lock	GandCrab.bin.exe
File opened for modification	C:\Program Files\EnableRequest.mpeg2	GandCrab.bin.exe
File opened for modification	C:\Program Files\GrantNew.3g2	GandCrab.bin.exe
File opened for modification	C:\Program Files\ReceiveImport.wmf	GandCrab.bin.exe
File opened for modification	C:\Program Files\RedoHide.zip	GandCrab.bin.exe
File created	C:\Program Files\da722250da7225ba7d.lock	GandCrab.bin.exe
File opened for modification	C:\Program Files\RestoreUse.wmf	GandCrab.bin.exe
File opened for modification	C:\Program Files\ShowUnpublish.au	GandCrab.bin.exe
File opened for modification	C:\Program Files\DenyRegister.pcx	GandCrab.bin.exe
File opened for modification	C:\Program Files\DisableRegister.kix	GandCrab.bin.exe
File opened for modification	C:\Program Files\EditConnect.cfg	GandCrab.bin.exe
File opened for modification	C:\Program Files\FindReset.cr2	GandCrab.bin.exe
File opened for modification	C:\Program Files\HideSkip.3gpp	GandCrab.bin.exe
File opened for modification	C:\Program Files\LimitEnter.mpp	GandCrab.bin.exe
File opened for modification	C:\Program Files\DebugConvertTo.vssm	GandCrab.bin.exe
File opened for modification	C:\Program Files\DenyUnlock.ps1xml	GandCrab.bin.exe
File opened for modification	C:\Program Files\OutEnable.kix	GandCrab.bin.exe
File opened for modification	C:\Program Files\RenameEnter.xlsb	GandCrab.bin.exe
File opened for modification	C:\Program Files\ResizeConvertFrom.mp4	GandCrab.bin.exe
File opened for modification	C:\Program Files\SplitConvert.mp4	GandCrab.bin.exe
File created	C:\Program Files\UWSIE-DECRYPT.html	GandCrab.bin.exe
File opened for modification	C:\Program Files\ConvertToUse.rar	GandCrab.bin.exe
File opened for modification	C:\Program Files\DebugClose.svg	GandCrab.bin.exe
File opened for modification	C:\Program Files\DisableMount.asf	GandCrab.bin.exe
File opened for modification	C:\Program Files\WriteReset.htm	GandCrab.bin.exe
File created	C:\Program Files (x86)\UWSIE-DECRYPT.html	GandCrab.bin.exe
File opened for modification	C:\Program Files\ConfirmInvoke.midi	GandCrab.bin.exe
File opened for modification	C:\Program Files\DisableSync.potx	GandCrab.bin.exe
File opened for modification	C:\Program Files\InitializeUse.rar	GandCrab.bin.exe
File opened for modification	C:\Program Files\OpenSend.vssm	GandCrab.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.bin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	GandCrab.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c0000000100000004000000000800000b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	GandCrab.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	GandCrab.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GandCrab.bin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2668	GandCrab.bin.exe
2668	GandCrab.bin.exe
2668	GandCrab.bin.exe
2668	GandCrab.bin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: 36	1076	wmic.exe
Token: SeIncreaseQuotaPrivilege	1076	wmic.exe
Token: SeSecurityPrivilege	1076	wmic.exe
Token: SeTakeOwnershipPrivilege	1076	wmic.exe
Token: SeLoadDriverPrivilege	1076	wmic.exe
Token: SeSystemProfilePrivilege	1076	wmic.exe
Token: SeSystemtimePrivilege	1076	wmic.exe
Token: SeProfSingleProcessPrivilege	1076	wmic.exe
Token: SeIncBasePriorityPrivilege	1076	wmic.exe
Token: SeCreatePagefilePrivilege	1076	wmic.exe
Token: SeBackupPrivilege	1076	wmic.exe
Token: SeRestorePrivilege	1076	wmic.exe
Token: SeShutdownPrivilege	1076	wmic.exe
Token: SeDebugPrivilege	1076	wmic.exe
Token: SeSystemEnvironmentPrivilege	1076	wmic.exe
Token: SeRemoteShutdownPrivilege	1076	wmic.exe
Token: SeUndockPrivilege	1076	wmic.exe
Token: SeManageVolumePrivilege	1076	wmic.exe
Token: 33	1076	wmic.exe
Token: 34	1076	wmic.exe
Token: 35	1076	wmic.exe
Token: 36	1076	wmic.exe
Token: SeBackupPrivilege	1216	vssvc.exe
Token: SeRestorePrivilege	1216	vssvc.exe
Token: SeAuditPrivilege	1216	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1076	2668	GandCrab.bin.exe	70
PID 2668 wrote to memory of 1076	2668	GandCrab.bin.exe	70
PID 2668 wrote to memory of 1076	2668	GandCrab.bin.exe	70

C:\Users\Admin\AppData\Local\Temp\GandCrab.bin.exe
"C:\Users\Admin\AppData\Local\Temp\GandCrab.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1076