Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:27
Static task
static1
Behavioral task
behavioral1
Sample
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe
Resource
win7-en-20211208
General
-
Target
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe
-
Size
139KB
-
MD5
8e0ecc245f56f77e720c54f765cfa396
-
SHA1
30fbeb1a83800dd32bb17e1b302f475572cfd734
-
SHA256
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751
-
SHA512
4b1c731a7bfe5252459fbe1c428375555de6f93aeb3fe3be4291f38bd1f0a71da9995e0a8896551ebdca40039290afb6254027c138e0154da6e4dde92b089514
Malware Config
Extracted
C:\LAIAXR-DECRYPT.txt
http://gandcrabmfe6mnef.onion/4caf04a6b51f9641
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File renamed C:\Users\Admin\Pictures\HideUninstall.raw => C:\Users\Admin\Pictures\HideUninstall.raw.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\OpenWait.tif => C:\Users\Admin\Pictures\OpenWait.tif.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\OutUse.tiff => C:\Users\Admin\Pictures\OutUse.tiff.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\SuspendUse.png => C:\Users\Admin\Pictures\SuspendUse.png.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\CloseCompare.raw => C:\Users\Admin\Pictures\CloseCompare.raw.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Users\Admin\Pictures\CopyAdd.tiff c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\CopyAdd.tiff => C:\Users\Admin\Pictures\CopyAdd.tiff.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\CopyLock.raw => C:\Users\Admin\Pictures\CopyLock.raw.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Users\Admin\Pictures\OutUse.tiff c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\SwitchRemove.raw => C:\Users\Admin\Pictures\SwitchRemove.raw.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\SyncGroup.png => C:\Users\Admin\Pictures\SyncGroup.png.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\ClearInvoke.tif => C:\Users\Admin\Pictures\ClearInvoke.tif.laiaxr c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File opened (read-only) \??\E: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\N: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\U: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\M: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\P: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\V: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\A: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\B: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\H: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\I: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\K: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\Z: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\X: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\F: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\J: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\Q: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\R: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\S: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\Y: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\G: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\L: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\O: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\T: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\W: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Drops file in Program Files directory 38 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File opened for modification C:\Program Files\ConvertAdd.css c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SplitApprove.wmx c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SplitRedo.potx c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UseStep.rar c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\CompleteBackup.mov c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\EnterNew.mov c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SaveProtect.dotm c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UndoGrant.M2V c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\WatchUnlock.wmf c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\LAIAXR-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files\LAIAXR-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\AddSkip.xps c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RepairRegister.001 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b51f91a2b51f9646214.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\PopUnregister.vsdm c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ShowUse.wmx c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\LAIAXR-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\b51f91a2b51f9646214.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\LAIAXR-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files\b51f91a2b51f9646214.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ConvertAdd.mht c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\FindDismount.rar c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\PushCompress.doc c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ReadSplit.dib c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\LAIAXR-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\AssertImport.midi c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\CloseMerge.dib c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ResolveStop.potm c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ResumeRedo.vsw c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\b51f91a2b51f9646214.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ResetTrace.xlsm c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UnblockImport.odt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UnlockExit.wmv c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ConfirmResume.vssx c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ImportStep.vsd c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\MountConfirm.wax c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RestoreUnprotect.mpe c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\b51f91a2b51f9646214.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exepid process 1660 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe 1660 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1188 wmic.exe Token: SeSecurityPrivilege 1188 wmic.exe Token: SeTakeOwnershipPrivilege 1188 wmic.exe Token: SeLoadDriverPrivilege 1188 wmic.exe Token: SeSystemProfilePrivilege 1188 wmic.exe Token: SeSystemtimePrivilege 1188 wmic.exe Token: SeProfSingleProcessPrivilege 1188 wmic.exe Token: SeIncBasePriorityPrivilege 1188 wmic.exe Token: SeCreatePagefilePrivilege 1188 wmic.exe Token: SeBackupPrivilege 1188 wmic.exe Token: SeRestorePrivilege 1188 wmic.exe Token: SeShutdownPrivilege 1188 wmic.exe Token: SeDebugPrivilege 1188 wmic.exe Token: SeSystemEnvironmentPrivilege 1188 wmic.exe Token: SeRemoteShutdownPrivilege 1188 wmic.exe Token: SeUndockPrivilege 1188 wmic.exe Token: SeManageVolumePrivilege 1188 wmic.exe Token: 33 1188 wmic.exe Token: 34 1188 wmic.exe Token: 35 1188 wmic.exe Token: SeIncreaseQuotaPrivilege 1188 wmic.exe Token: SeSecurityPrivilege 1188 wmic.exe Token: SeTakeOwnershipPrivilege 1188 wmic.exe Token: SeLoadDriverPrivilege 1188 wmic.exe Token: SeSystemProfilePrivilege 1188 wmic.exe Token: SeSystemtimePrivilege 1188 wmic.exe Token: SeProfSingleProcessPrivilege 1188 wmic.exe Token: SeIncBasePriorityPrivilege 1188 wmic.exe Token: SeCreatePagefilePrivilege 1188 wmic.exe Token: SeBackupPrivilege 1188 wmic.exe Token: SeRestorePrivilege 1188 wmic.exe Token: SeShutdownPrivilege 1188 wmic.exe Token: SeDebugPrivilege 1188 wmic.exe Token: SeSystemEnvironmentPrivilege 1188 wmic.exe Token: SeRemoteShutdownPrivilege 1188 wmic.exe Token: SeUndockPrivilege 1188 wmic.exe Token: SeManageVolumePrivilege 1188 wmic.exe Token: 33 1188 wmic.exe Token: 34 1188 wmic.exe Token: 35 1188 wmic.exe Token: SeBackupPrivilege 520 vssvc.exe Token: SeRestorePrivilege 520 vssvc.exe Token: SeAuditPrivilege 520 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription pid process target process PID 1660 wrote to memory of 1188 1660 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe PID 1660 wrote to memory of 1188 1660 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe PID 1660 wrote to memory of 1188 1660 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe PID 1660 wrote to memory of 1188 1660 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe"C:\Users\Admin\AppData\Local\Temp\c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1660-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB