Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 18:58
Static task
static1
Behavioral task
behavioral1
Sample
aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll
Resource
win10-en-20211208
General
-
Target
aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll
-
Size
131KB
-
MD5
1ef3f352d97ba827f446f6e8708aa054
-
SHA1
eb910b00ff92247044ae7c3006c8946b912f798b
-
SHA256
aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8
-
SHA512
cc58d395b38fe2908a5a6c58ef8a53eadf434ef27eafed19f6564d9cad04761575e0d8c0d1d68a5ee94edf066365d7fee2737c0e76ee4326c73dfee1c7f6b91d
Malware Config
Extracted
C:\MWVYCU-DECRYPT.txt
http://gandcrabmfe6mnef.onion/7ef9cdc3f8338a58
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe -
Drops file in Program Files directory 10 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\ConnectExpand.m4a rundll32.exe File opened for modification C:\Program Files\ConvertCompare.xlsb rundll32.exe File created C:\Program Files\MWVYCU-DECRYPT.txt rundll32.exe File created C:\Program Files\f8338dbbf8338a5f214.lock rundll32.exe File opened for modification C:\Program Files\AddShow.kix rundll32.exe File opened for modification C:\Program Files\CheckpointGet.M2T rundll32.exe File opened for modification C:\Program Files\CompleteSwitch.vssm rundll32.exe File opened for modification C:\Program Files\ConfirmStart.xps rundll32.exe File opened for modification C:\Program Files\ConvertToJoin.wax rundll32.exe File opened for modification C:\Program Files\DebugRepair.ex_ rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 708 592 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exeWerFault.exepid process 592 rundll32.exe 592 rundll32.exe 708 WerFault.exe 708 WerFault.exe 708 WerFault.exe 708 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 708 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 708 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 592 1364 rundll32.exe rundll32.exe PID 592 wrote to memory of 708 592 rundll32.exe WerFault.exe PID 592 wrote to memory of 708 592 rundll32.exe WerFault.exe PID 592 wrote to memory of 708 592 rundll32.exe WerFault.exe PID 592 wrote to memory of 708 592 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aca0b96126c813b0d29d6fbff9175f8ca62ff2ec6eed83bff76a73ae717cfcb8.dll,#12⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 2803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken