Analysis
-
max time kernel
155s -
max time network
178s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe
Resource
win10-en-20211208
General
-
Target
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe
-
Size
63KB
-
MD5
211e4a365c02101b1f72e515f97bd5ee
-
SHA1
63423eca5f992c0b2268c314287676e04b3759aa
-
SHA256
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0
-
SHA512
bb7fb11a2b08ac75f31de3bd1c764ffaf6364bfbce01d4fb34571a6a96c2f30f7631d304bd765451946f00770b0b6764f02931cac264e187d26d9b4032cf765e
Malware Config
Extracted
C:\MWRLLYMOH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/f162908b8dc1e99
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingShow.png => C:\Users\Admin\Pictures\PingShow.png.mwrllymoh de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File renamed C:\Users\Admin\Pictures\RepairEdit.tiff => C:\Users\Admin\Pictures\RepairEdit.tiff.mwrllymoh de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File renamed C:\Users\Admin\Pictures\RestoreSwitch.png => C:\Users\Admin\Pictures\RestoreSwitch.png.mwrllymoh de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.mwrllymoh de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Users\Admin\Pictures\TestPing.tiff de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File renamed C:\Users\Admin\Pictures\TestPing.tiff => C:\Users\Admin\Pictures\TestPing.tiff.mwrllymoh de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exedescription ioc process File opened (read-only) \??\U: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\Y: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\I: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\O: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\M: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\N: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\P: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\Q: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\V: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\W: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\J: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\K: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\F: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\G: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\L: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\X: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\Z: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\A: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\E: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\R: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\S: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\T: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\B: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened (read-only) \??\H: de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe -
Drops file in Program Files directory 46 IoCs
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exedescription ioc process File created C:\Program Files\b8dc197ab8dc1e9e214.lock de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\MoveRestore.3gp de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\RestartDismount.mhtml de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\MWRLLYMOH-DECRYPT.txt de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\AddCompare.wmv de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\CompressShow.xlsm de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\CopyMove.DVR de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ExportEnable.pcx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\PingCopy.bmp de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\UnblockRemove.docx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\MWRLLYMOH-DECRYPT.txt de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\OutUnpublish.jpg de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\PopEnable.mid de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ShowGet.mpp de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\SplitRepair.vstx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\TraceBlock.png de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files\MWRLLYMOH-DECRYPT.txt de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ConfirmUndo.bmp de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ConvertFromMeasure.vb de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\CopyOpen.png de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\FormatBackup.wmf de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\RegisterStart.ppt de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\SubmitReset.wps de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\SkipOpen.mp4 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\CompleteConvert.dxf de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ConfirmDisable.vsdx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\DenyTest.inf de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\EnterBlock.xlsb de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\InvokeCopy.dwfx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\MoveUndo.vbs de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\RegisterUnprotect.vdx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\MeasureGroup.xlsm de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\StepDeny.vst de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\UnlockUndo.scf de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\MWRLLYMOH-DECRYPT.txt de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\b8dc197ab8dc1e9e214.lock de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b8dc197ab8dc1e9e214.lock de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ApproveSplit.asx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\BackupGet.mp3 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ProtectStep.vsw de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\b8dc197ab8dc1e9e214.lock de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\ExitDebug.vb de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\HideSet.dwfx de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File opened for modification C:\Program Files\RevokeSwitch.pub de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\b8dc197ab8dc1e9e214.lock de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\MWRLLYMOH-DECRYPT.txt de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exepid process 612 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe 612 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1852 wmic.exe Token: SeSecurityPrivilege 1852 wmic.exe Token: SeTakeOwnershipPrivilege 1852 wmic.exe Token: SeLoadDriverPrivilege 1852 wmic.exe Token: SeSystemProfilePrivilege 1852 wmic.exe Token: SeSystemtimePrivilege 1852 wmic.exe Token: SeProfSingleProcessPrivilege 1852 wmic.exe Token: SeIncBasePriorityPrivilege 1852 wmic.exe Token: SeCreatePagefilePrivilege 1852 wmic.exe Token: SeBackupPrivilege 1852 wmic.exe Token: SeRestorePrivilege 1852 wmic.exe Token: SeShutdownPrivilege 1852 wmic.exe Token: SeDebugPrivilege 1852 wmic.exe Token: SeSystemEnvironmentPrivilege 1852 wmic.exe Token: SeRemoteShutdownPrivilege 1852 wmic.exe Token: SeUndockPrivilege 1852 wmic.exe Token: SeManageVolumePrivilege 1852 wmic.exe Token: 33 1852 wmic.exe Token: 34 1852 wmic.exe Token: 35 1852 wmic.exe Token: SeIncreaseQuotaPrivilege 1852 wmic.exe Token: SeSecurityPrivilege 1852 wmic.exe Token: SeTakeOwnershipPrivilege 1852 wmic.exe Token: SeLoadDriverPrivilege 1852 wmic.exe Token: SeSystemProfilePrivilege 1852 wmic.exe Token: SeSystemtimePrivilege 1852 wmic.exe Token: SeProfSingleProcessPrivilege 1852 wmic.exe Token: SeIncBasePriorityPrivilege 1852 wmic.exe Token: SeCreatePagefilePrivilege 1852 wmic.exe Token: SeBackupPrivilege 1852 wmic.exe Token: SeRestorePrivilege 1852 wmic.exe Token: SeShutdownPrivilege 1852 wmic.exe Token: SeDebugPrivilege 1852 wmic.exe Token: SeSystemEnvironmentPrivilege 1852 wmic.exe Token: SeRemoteShutdownPrivilege 1852 wmic.exe Token: SeUndockPrivilege 1852 wmic.exe Token: SeManageVolumePrivilege 1852 wmic.exe Token: 33 1852 wmic.exe Token: 34 1852 wmic.exe Token: 35 1852 wmic.exe Token: SeBackupPrivilege 1280 vssvc.exe Token: SeRestorePrivilege 1280 vssvc.exe Token: SeAuditPrivilege 1280 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exedescription pid process target process PID 612 wrote to memory of 1852 612 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe wmic.exe PID 612 wrote to memory of 1852 612 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe wmic.exe PID 612 wrote to memory of 1852 612 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe wmic.exe PID 612 wrote to memory of 1852 612 de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe"C:\Users\Admin\AppData\Local\Temp\de4e50fa18bae7964ea77d1e015265e4c2232e5bc7d97d28e420c942ce65d6c0.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/612-54-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB