Analysis
-
max time kernel
136s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:09
Static task
static1
Behavioral task
behavioral1
Sample
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe
Resource
win7-en-20211208
General
-
Target
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe
-
Size
139KB
-
MD5
24a1ac0b0cd98114910888fe63f7e502
-
SHA1
9fd4c130a7e023f5ac50272a0d45e8a3acb78152
-
SHA256
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b
-
SHA512
d20781c7f9e8e4fcb797e17e0a366ed355b49fdfda892bb28e33688dd8b0de73ca03572dbe877d33d1ce1b51d57702f5caf0b7a159f230ea986e25891eb60ff9
Malware Config
Extracted
C:\BXJDC-DECRYPT.txt
http://gandcrabmfe6mnef.onion/b67371a9158d17f2
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exedescription ioc process File renamed C:\Users\Admin\Pictures\OutSend.crw => C:\Users\Admin\Pictures\OutSend.crw.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\PingImport.tif => C:\Users\Admin\Pictures\PingImport.tif.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Users\Admin\Pictures\ProtectSelect.tiff d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Users\Admin\Pictures\RevokeOut.tiff d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\SkipDebug.png => C:\Users\Admin\Pictures\SkipDebug.png.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\ProtectSelect.tiff => C:\Users\Admin\Pictures\ProtectSelect.tiff.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\ShowOpen.raw => C:\Users\Admin\Pictures\ShowOpen.raw.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Users\Admin\Pictures\GetApprove.tiff d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\GetApprove.tiff => C:\Users\Admin\Pictures\GetApprove.tiff.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\RevokeOut.tiff => C:\Users\Admin\Pictures\RevokeOut.tiff.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\SubmitReceive.raw => C:\Users\Admin\Pictures\SubmitReceive.raw.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\DisableCompare.tif => C:\Users\Admin\Pictures\DisableCompare.tif.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\SendCheckpoint.raw => C:\Users\Admin\Pictures\SendCheckpoint.raw.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File renamed C:\Users\Admin\Pictures\StopSync.crw => C:\Users\Admin\Pictures\StopSync.crw.bxjdc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exedescription ioc process File opened (read-only) \??\N: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\Q: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\T: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\A: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\H: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\J: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\L: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\G: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\R: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\V: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\Y: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\M: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\P: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\U: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\Z: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\B: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\F: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\I: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\K: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\X: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\E: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\O: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\S: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened (read-only) \??\W: d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe -
Drops file in Program Files directory 44 IoCs
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exedescription ioc process File opened for modification C:\Program Files\DebugPing.mp4 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\MoveEdit.vb d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\SetMove.zip d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\SubmitApprove.bmp d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\WriteStop.vsdx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\158d1011158d17f5214.lock d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files\158d1011158d17f5214.lock d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\ProtectEnable.mpe d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\RepairGrant.svgz d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\BXJDC-DECRYPT.txt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\BXJDC-DECRYPT.txt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\158d1011158d17f5214.lock d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files\BXJDC-DECRYPT.txt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\CloseCopy.aiff d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\SaveLock.odt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\StopPing.mp4 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\SyncFormat.mhtml d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\WriteDismount.vsdx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\DenyLock.asx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\DisableConfirm.m4a d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\DisableLock.dotx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\LockFormat.emf d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\RenameCompare.m4a d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\WaitConfirm.xla d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\158d1011158d17f5214.lock d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\InstallHide.potm d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\MergePublish.ps1 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\ProtectConvertTo.rar d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\158d1011158d17f5214.lock d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\BXJDC-DECRYPT.txt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\DebugExit.wax d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\EditRevoke.docx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\HideTest.cfg d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\InstallDeny.pcx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\InstallUpdate.ex_ d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\SyncOpen.M2TS d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\BXJDC-DECRYPT.txt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\ExportStart.xlsx d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\PublishRevoke.doc d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\SuspendEnable.wpl d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\EnterGet.wps d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\ExitSave.xlt d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\TestConfirm.ram d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe File opened for modification C:\Program Files\TracePop.m4v d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exepid process 1532 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe 1532 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 976 wmic.exe Token: SeSecurityPrivilege 976 wmic.exe Token: SeTakeOwnershipPrivilege 976 wmic.exe Token: SeLoadDriverPrivilege 976 wmic.exe Token: SeSystemProfilePrivilege 976 wmic.exe Token: SeSystemtimePrivilege 976 wmic.exe Token: SeProfSingleProcessPrivilege 976 wmic.exe Token: SeIncBasePriorityPrivilege 976 wmic.exe Token: SeCreatePagefilePrivilege 976 wmic.exe Token: SeBackupPrivilege 976 wmic.exe Token: SeRestorePrivilege 976 wmic.exe Token: SeShutdownPrivilege 976 wmic.exe Token: SeDebugPrivilege 976 wmic.exe Token: SeSystemEnvironmentPrivilege 976 wmic.exe Token: SeRemoteShutdownPrivilege 976 wmic.exe Token: SeUndockPrivilege 976 wmic.exe Token: SeManageVolumePrivilege 976 wmic.exe Token: 33 976 wmic.exe Token: 34 976 wmic.exe Token: 35 976 wmic.exe Token: SeIncreaseQuotaPrivilege 976 wmic.exe Token: SeSecurityPrivilege 976 wmic.exe Token: SeTakeOwnershipPrivilege 976 wmic.exe Token: SeLoadDriverPrivilege 976 wmic.exe Token: SeSystemProfilePrivilege 976 wmic.exe Token: SeSystemtimePrivilege 976 wmic.exe Token: SeProfSingleProcessPrivilege 976 wmic.exe Token: SeIncBasePriorityPrivilege 976 wmic.exe Token: SeCreatePagefilePrivilege 976 wmic.exe Token: SeBackupPrivilege 976 wmic.exe Token: SeRestorePrivilege 976 wmic.exe Token: SeShutdownPrivilege 976 wmic.exe Token: SeDebugPrivilege 976 wmic.exe Token: SeSystemEnvironmentPrivilege 976 wmic.exe Token: SeRemoteShutdownPrivilege 976 wmic.exe Token: SeUndockPrivilege 976 wmic.exe Token: SeManageVolumePrivilege 976 wmic.exe Token: 33 976 wmic.exe Token: 34 976 wmic.exe Token: 35 976 wmic.exe Token: SeBackupPrivilege 1984 vssvc.exe Token: SeRestorePrivilege 1984 vssvc.exe Token: SeAuditPrivilege 1984 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exedescription pid process target process PID 1532 wrote to memory of 976 1532 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe wmic.exe PID 1532 wrote to memory of 976 1532 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe wmic.exe PID 1532 wrote to memory of 976 1532 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe wmic.exe PID 1532 wrote to memory of 976 1532 d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe"C:\Users\Admin\AppData\Local\Temp\d2f237743c9bf65873afa65a45f02c01fd91315e6d7406fec02dc50c3255ab9b.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1532-55-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB