Overview

overview

10

Static

static

10

db2884a901...a9.exe

windows7_x64

10

db2884a901...a9.exe

windows10_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe

  • Size

    191KB

  • MD5

    5bc5696a899074cb3623aa640602c8ad

  • SHA1

    792d0ef1d01d80426aabc2c8bbeb680690d94798

  • SHA256

    db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9

  • SHA512

    7574237d9495c0cf056b67fb7efa61d426f383976e8fb73b2370835fd1ed63a85d0061c24ee16472bb973acd7cbbb690638b07bb20057774ace0e13b4f87e221

Score
10/10
gandcrabbackdoorransomwarespywarestealersuricataupx

Malware Config

Extracted

Path

C:\KRAB-DECRYPT.txt

Ransom Note
---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/11c2f5583dfdc5fb | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAADm2V1zBz3C2JUz5bRIwIKJ/NLnAsDzjxEK9xqFeUct7LEGdJW/3yJBPXf46wJPckOdHIFxhN5sg3OGjnphaOhVTARHBDi/SgnGDDm+4G7OEagSqxn8ofF4Co9zmuSPGm9dMRCmJGZinrWsF8HmbmJ1kQa5bNLck66/hZzTCG58MAqqwCIWjB0kyXMBm20lza3XndcJeV5IDfpw4xl2+77ZGKs+ThjUGuzWUSDBVFaP3z9JIxWcIvLoImIr7cZdd0PBpNX1CbXU9+/vIOPH/nWjq5dbuobNxeUvmGUjSk91LPqFk/HoIJoZ6QwlIrL+9E34qPXDZ1kyzoQGgAKZ675MfXdmd51IqyGzAoJYLm6bbI45g8NnTbEmblfpVpsRSIk4QH8RE9H+9aXm/VKrq3i47CCaYh/3QbP51nuq4D8F/BrR31812lI8bzTb7Vw6dW4u5zdu5TtG2XGGzWRWF3CWMNxHaCy1TQYdKd6BXfeD092P+VOMEQqqWuneT+K567NPXted6GBg64fCXTm0pGNJzp/WXLPSeraG19PQigwyaj/PLC+kifXDzBcvdfeYTCFjrAS8TCzgknX2CMWKhafARBcm3QAuVNv1o4+tKKNH2HH3oMjWU7AQUSd/X88xHVnSaNbV9YBIH+J1jEEvxVGrQMZAmfIYz21d4JUK36FbDMSTl6tVbD3FEo4JKX9jDtRASwU4qaOUvbdLUndylV4B6VmiN0odvrvcd66vEDWE0dfwWAM2UBiueBYgrP5lRcvgSefFFFQe2o0XkO+NlYBhwNDi7Bi+lKM2aN9BKbAy1T3iaj46sIMtC7TBMmOuE3FUA2FI8znGJzO94fjyV7YWjEaFtMyII/ssmTzvCHWae824xS6XYJCrQmJv3oW2n3t+gAu9vHFKnVGabf915OQbVDYgn4xR2MeZCu+DaC5scAtoGkwx7/PY2D+a3KfIK3H7798omWrw/aQ9fLhXb85NrxYZHKrq46nwxGa0E3WhGtaow/HcuYwvGSdpiQ3FYiekmUiC8SqUsfr69YhnJTiGYs7m/2+HH+5CW5QfAjL2/eTKyJcpidHWekdyha2TYm1PuruMN2SouZuekXT0sNYWHlk4FGoUfMdkYO9zgKE88Xaq7Q5t1rlFAU90rWpTdHj6v15MujlpYN8a91CYojXYUfkIoA1q6pYTAVuuZNvAc6ItkTVEZU+bP52oTLkqEcQQR4qknWNkKUIB9OV5z37hYk+Zo/XdKM0Tjxt561QcqwMEUZArQlqUe7DwdoRJ+65MTpUeIbmjsIRCSEtU2Qiswiq5ST49E9gA0+iwoI671s89I+lCWCKYY46DhZFxmusylMw3p6F7KPXy9VntolQDIi2IV7cf2isbfBwszRPxUA7eJzIJnt6qEwFYmlsaE0VvQYSfS+KW3lZctUAxMKMa9ImZMrXMa8ilbqaL04nYBZvGl2wl03foIM0nW4hK+Ur7kMfLeZSjmk2eUhqPhOUeE/szvWceXgW6WMinN4SdIXyYFvs+M1FOObgGLbH2ZKVyL7KKTCAwXvuWFf0+ANLvYQeOxHLQwyKhll4uhZFhMQuA+cP29JQD+UHZ27QbXWzbkFuBhVZsr0drYL9O8MrYE0WdLyCq9Cho5CfMCEgRB3qs7TUT8h4b3kLQ1aIsVJDqdRHlmf9hy8vlr8AZFVBy6BGRuytQ1jbmQ0bRmjRLtk11x0kR9RfHsVnkkKOXnUx7MeozCvKsko+LcE8BL9vuCpt+9IEcMWm1NTDa4LS61XV59j7q46eWGRwYN7zDBWq+WbSBoPkk3SeuUR3UNV5KoMrLN0TVkHQX0Oex508cwPztnwkyvAEjHKdKbvTnbbN5LyBq/WEVb4YqRkmScg6Ft0lSwbm/LLYj3fh7otVxvjGxt6YEEq1ABTvVHDZoM2zj6fyJTeCQvPjbdI1A37/jHkeO5aQT45nbgfUiBAL8iqu2D2fSF8wx+cBQNoPcd9En0q8RLjb3YT7ax93Fzxo2CUHYAwMNDpf4/bQAJV9IOAptGu6r194Dv1gxmosO0qulF/536eY1lG+5C2k2D9p1gVsdy/MZ9Ry72mh6JorsJI0138qh+MDRLY4rvCcNfm1xV45o1P0jmOCdgQdIIJljWhrdFohOHirGKtOr8rNM5fuFwyw23C7Sta8/XKnBJihw7U54FC2qgZVHdobOmeG6740RQxtmd2KlZ5i4glTjLM5PBn2zEuhiq4uT3UVAvsWyoxZ4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZaTp9RtXYU7nBWsLfMTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZdP6U/VvqF1shzlzbajc1AHXg7l8xnT91gCFUxMg7ADMEr7316SnTFUg/DkeItL9jgqZ6n8br75+9itbF3kU3B6OKn/zI2R+tyGohYaVrVBnXtuxGOEY0b9Scf4qq4MaaXY7JyAYzW2Q+irpQZTWgqalO6JIQJopFqwNEoBhPAnKY+DO5AAL2fiGE1g6xrIA3txAhKxA7wZivpCxFJ3uPLaOb91wsZMnQXRkOKPzmU1gPgG39UmRzflSz2QUBnmrI4lomwvnJMVc3pJTerfEocccBnP2hNgX9AQyDCiKYGErrtc0j2BYRMPpGkHsYOIL8= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/11c2f5583dfdc5fb

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

    suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 40 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe
    "C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
      C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:82945 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3272
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\4W2LY5B3.cookie
    MD5

    22c47b0d1a3a2c9637de95577b86d3bf

    SHA1

    d41a81e568f2ca610af32794b3f2568009359d51

    SHA256

    7265738069bceab1b8ec85922d9d1b8b72a4be530f52d36c5bcc171ab03ce92a

    SHA512

    e846027d1676b7603d774880fb6da4d3f3e33bce2962eb537121ab47a8f77698060bea0e114aaf7eca8f5def8752dbba303681d5c86b1df22254f199f6499f6f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
    MD5

    53879f5fd7af722a70627f9e4b5adce5

    SHA1

    69de5fa9e86e2c7925a1a2b99fd8afca5f490297

    SHA256

    db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

    SHA512

    d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\db2884a9012cf6e8ea5b3fabb0d02a9487eb412e75085b37188d5e8f4ada7ca9mgr.exe
    MD5

    53879f5fd7af722a70627f9e4b5adce5

    SHA1

    69de5fa9e86e2c7925a1a2b99fd8afca5f490297

    SHA256

    db2ac1b0d85aef160b4bdab57c3ebe3fb53eec7345ef703bc1a328f803ea3075

    SHA512

    d354a713c6912cec8df4203a69bc048a267ed3b357e1cb24aa96f6d910e1c96a946f8ea82524c0253f2395727efadc55c6672ebf0b0dac66dc4872d2161f55bc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\KRAB-DECRYPT.txt
    MD5

    349d36d4a802c686df6cf5d0cf90ef77

    SHA1

    464dd5b339395a338b12d1294c2a0da44e4f7cac

    SHA256

    05d44f0449a329a6a0ff33f861a6acb1136b5e165747a25ed5abc495eef7d470

    SHA512

    bb67b95952094328a9b656d1323dbfba0de7f3ee63c4b0a93e9fb5c0796e9cebacdabed46973a0829000d40a2ccb067d8f74467055d9cf1b57c7d8d6ac9e9847

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\KRAB-DECRYPT.txt
    MD5

    349d36d4a802c686df6cf5d0cf90ef77

    SHA1

    464dd5b339395a338b12d1294c2a0da44e4f7cac

    SHA256

    05d44f0449a329a6a0ff33f861a6acb1136b5e165747a25ed5abc495eef7d470

    SHA512

    bb67b95952094328a9b656d1323dbfba0de7f3ee63c4b0a93e9fb5c0796e9cebacdabed46973a0829000d40a2ccb067d8f74467055d9cf1b57c7d8d6ac9e9847

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\KRAB-DECRYPT.txt
    MD5

    349d36d4a802c686df6cf5d0cf90ef77

    SHA1

    464dd5b339395a338b12d1294c2a0da44e4f7cac

    SHA256

    05d44f0449a329a6a0ff33f861a6acb1136b5e165747a25ed5abc495eef7d470

    SHA512

    bb67b95952094328a9b656d1323dbfba0de7f3ee63c4b0a93e9fb5c0796e9cebacdabed46973a0829000d40a2ccb067d8f74467055d9cf1b57c7d8d6ac9e9847

    Download Submit
  • memory/3116-117-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3116-118-0x0000000000410000-0x0000000000419000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3116-119-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3116-120-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3116-121-0x0000000000060000-0x0000000000061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-122-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download