Analysis
-
max time kernel
123s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:47
Static task
static1
Behavioral task
behavioral1
Sample
e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776.dll
Resource
win10-en-20211208
General
-
Target
e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776.dll
-
Size
130KB
-
MD5
c397591f6b7678fa7c260cad23f97fbc
-
SHA1
b65fcaf06f0d5f09a731d8106df46a7bd30f9787
-
SHA256
e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776
-
SHA512
e3d07bc186c1d6ee301ea307fa76e83bea24b60b6d63efc09c6a295424a945668cf0bf61463bb465fbe46f11180249137527eb8cb0af9d45e4af351746f6d07c
Malware Config
Extracted
C:\VRTESKJRZB-DECRYPT.txt
http://gandcrabmfe6mnef.onion/6401397625c34536
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\DisconnectExit.scf rundll32.exe File opened for modification C:\Program Files\DisconnectRequest.xla rundll32.exe File opened for modification C:\Program Files\DismountStop.xlsx rundll32.exe File created C:\Program Files\VRTESKJRZB-DECRYPT.txt rundll32.exe File created C:\Program Files\25c342d525c34531617.lock rundll32.exe File opened for modification C:\Program Files\BackupEnter.mpg rundll32.exe File opened for modification C:\Program Files\CheckpointNew.fon rundll32.exe File opened for modification C:\Program Files\ConvertToDismount.dxf rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1980 2852 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 2852 rundll32.exe 2852 rundll32.exe 2852 rundll32.exe 2852 rundll32.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe 1980 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1980 WerFault.exe Token: SeBackupPrivilege 1980 WerFault.exe Token: SeDebugPrivilege 1980 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2796 wrote to memory of 2852 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2852 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2852 2796 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e564e87958b3e76bc9bfeb5bed773b7a17f3a82f84872acdbb609aa43a9cd776.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken