Analysis
-
max time kernel
121s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067.dll
Resource
win10-en-20211208
General
-
Target
b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067.dll
-
Size
130KB
-
MD5
50c0c967b590235bb84fadd52e17d906
-
SHA1
0c15e677d1a078a8cbee56f27aeeef4cf61c517f
-
SHA256
b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067
-
SHA512
b88e1310b48d27b3bf739e1b9c9e904661c1e7ccebbc1145bb9556221ee6b968d3f1f8cee42c3cdc01f4f3e55f967d93cb00f5fb9b7fd86372824b3151310509
Malware Config
Extracted
C:\XOVFQWDJDU-DECRYPT.txt
http://gandcrabmfe6mnef.onion/605e4f1ecf6e5aad
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Program Files\cf6e5d4dcf6e5aa722.lock rundll32.exe File opened for modification C:\Program Files\ApproveDebug.potx rundll32.exe File opened for modification C:\Program Files\AssertInitialize.dib rundll32.exe File opened for modification C:\Program Files\BlockNew.xps rundll32.exe File opened for modification C:\Program Files\ConnectInvoke.docx rundll32.exe File opened for modification C:\Program Files\CopySwitch.3gp2 rundll32.exe File opened for modification C:\Program Files\DismountRevoke.mpeg3 rundll32.exe File created C:\Program Files\XOVFQWDJDU-DECRYPT.txt rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3940 2308 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 2308 rundll32.exe 2308 rundll32.exe 2308 rundll32.exe 2308 rundll32.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe 3940 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3940 WerFault.exe Token: SeBackupPrivilege 3940 WerFault.exe Token: SeDebugPrivilege 3940 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1552 wrote to memory of 2308 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 2308 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 2308 1552 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b24ec3bc9de1faa5a55c54835c2673e244e7b42e291f70cbdc2c23672abc7067.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken