Analysis
-
max time kernel
146s -
max time network
162s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 18:27
Static task
static1
Behavioral task
behavioral1
Sample
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe
Resource
win7-en-20211208
General
-
Target
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe
-
Size
139KB
-
MD5
8e0ecc245f56f77e720c54f765cfa396
-
SHA1
30fbeb1a83800dd32bb17e1b302f475572cfd734
-
SHA256
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751
-
SHA512
4b1c731a7bfe5252459fbe1c428375555de6f93aeb3fe3be4291f38bd1f0a71da9995e0a8896551ebdca40039290afb6254027c138e0154da6e4dde92b089514
Malware Config
Extracted
C:\WFBAWA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2c209707288388ca
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertSkip.tiff => C:\Users\Admin\Pictures\ConvertSkip.tiff.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\GrantFormat.png => C:\Users\Admin\Pictures\GrantFormat.png.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\MoveAdd.crw => C:\Users\Admin\Pictures\MoveAdd.crw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\PublishEdit.crw => C:\Users\Admin\Pictures\PublishEdit.crw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\ConfirmBlock.raw => C:\Users\Admin\Pictures\ConfirmBlock.raw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\ConvertFromAssert.raw => C:\Users\Admin\Pictures\ConvertFromAssert.raw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Users\Admin\Pictures\ConvertSkip.tiff c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\EnableImport.raw => C:\Users\Admin\Pictures\EnableImport.raw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\ResizeDismount.raw => C:\Users\Admin\Pictures\ResizeDismount.raw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\UninstallCheckpoint.raw => C:\Users\Admin\Pictures\UninstallCheckpoint.raw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\UninstallClear.png => C:\Users\Admin\Pictures\UninstallClear.png.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File renamed C:\Users\Admin\Pictures\UnprotectRestore.raw => C:\Users\Admin\Pictures\UnprotectRestore.raw.wfbawa c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Drops startup file 2 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WFBAWA-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\28838f29288388cd617.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File opened (read-only) \??\T: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\V: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\Y: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\Z: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\F: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\H: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\I: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\L: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\E: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\R: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\U: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\A: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\J: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\O: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\Q: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\N: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\P: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\S: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\W: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\B: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\G: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\K: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\M: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened (read-only) \??\X: c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Drops file in Program Files directory 41 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process File opened for modification C:\Program Files\CompareGrant.ADTS c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\StepConfirm.mht c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\StopClose.3gpp c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UpdateCheckpoint.xhtml c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UpdateSave.mp4v c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\WaitComplete.css c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\BackupSelect.pot c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\CheckpointRestart.inf c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RestoreApprove.dotm c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RevokeRegister.shtml c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ExportShow.asf c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\StepConvert.svgz c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SubmitGrant.mov c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\BlockUndo.mp2 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ClearFormat.snd c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RepairDebug.bmp c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SearchCopy.mpv2 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UpdateInvoke.mpeg3 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ExpandRepair.iso c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\InitializeHide.bin c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\28838f29288388cd617.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ConvertRegister.mpeg2 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RestartSwitch.php c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SkipUninstall.wdp c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files (x86)\WFBAWA-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files\WFBAWA-DECRYPT.txt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ConvertFromCompare.tiff c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\DismountOut.mpeg c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ShowCompress.avi c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\StepWrite.mhtml c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\UninstallUpdate.mht c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File created C:\Program Files\28838f29288388cd617.lock c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\ApproveDisconnect.dwfx c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\FormatRegister.aif c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\OutUnregister.vbs c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RegisterMount.dot c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\RepairAdd.xlt c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SkipGet.asf c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\SyncAssert.pcx c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\EditGroup.dot c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe File opened for modification C:\Program Files\EnterApprove.htm c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exepid process 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 512 wmic.exe Token: SeSecurityPrivilege 512 wmic.exe Token: SeTakeOwnershipPrivilege 512 wmic.exe Token: SeLoadDriverPrivilege 512 wmic.exe Token: SeSystemProfilePrivilege 512 wmic.exe Token: SeSystemtimePrivilege 512 wmic.exe Token: SeProfSingleProcessPrivilege 512 wmic.exe Token: SeIncBasePriorityPrivilege 512 wmic.exe Token: SeCreatePagefilePrivilege 512 wmic.exe Token: SeBackupPrivilege 512 wmic.exe Token: SeRestorePrivilege 512 wmic.exe Token: SeShutdownPrivilege 512 wmic.exe Token: SeDebugPrivilege 512 wmic.exe Token: SeSystemEnvironmentPrivilege 512 wmic.exe Token: SeRemoteShutdownPrivilege 512 wmic.exe Token: SeUndockPrivilege 512 wmic.exe Token: SeManageVolumePrivilege 512 wmic.exe Token: 33 512 wmic.exe Token: 34 512 wmic.exe Token: 35 512 wmic.exe Token: 36 512 wmic.exe Token: SeIncreaseQuotaPrivilege 512 wmic.exe Token: SeSecurityPrivilege 512 wmic.exe Token: SeTakeOwnershipPrivilege 512 wmic.exe Token: SeLoadDriverPrivilege 512 wmic.exe Token: SeSystemProfilePrivilege 512 wmic.exe Token: SeSystemtimePrivilege 512 wmic.exe Token: SeProfSingleProcessPrivilege 512 wmic.exe Token: SeIncBasePriorityPrivilege 512 wmic.exe Token: SeCreatePagefilePrivilege 512 wmic.exe Token: SeBackupPrivilege 512 wmic.exe Token: SeRestorePrivilege 512 wmic.exe Token: SeShutdownPrivilege 512 wmic.exe Token: SeDebugPrivilege 512 wmic.exe Token: SeSystemEnvironmentPrivilege 512 wmic.exe Token: SeRemoteShutdownPrivilege 512 wmic.exe Token: SeUndockPrivilege 512 wmic.exe Token: SeManageVolumePrivilege 512 wmic.exe Token: 33 512 wmic.exe Token: 34 512 wmic.exe Token: 35 512 wmic.exe Token: 36 512 wmic.exe Token: SeBackupPrivilege 3424 vssvc.exe Token: SeRestorePrivilege 3424 vssvc.exe Token: SeAuditPrivilege 3424 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exedescription pid process target process PID 2744 wrote to memory of 512 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe PID 2744 wrote to memory of 512 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe PID 2744 wrote to memory of 512 2744 c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe"C:\Users\Admin\AppData\Local\Temp\c5aef7cf92dfe4d5be086d9dd75f960e54024499ca86d768460ddcdefe59b751.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken