Analysis
-
max time kernel
169s -
max time network
180s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe
Resource
win7-en-20211208
General
-
Target
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe
-
Size
65KB
-
MD5
ad5a2dde47b4ab1ed1cc90fb0b039869
-
SHA1
938d9271941e04ebb31310313be02bec67f64f66
-
SHA256
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540
-
SHA512
7196cc58662e6d14a7ecc40357c18f657a96eb7395550deedbfbf5cc842e0dbcc5a1436f3f272259714625d268b3aa16efc708a992c104d767eb5b1aca6e1715
Malware Config
Extracted
C:\WSAUCBY-DECRYPT.txt
http://gandcrabmfe6mnef.onion/afcff3b2a7e531a8
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareFind.crw => C:\Users\Admin\Pictures\CompareFind.crw.wsaucby 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File renamed C:\Users\Admin\Pictures\PopStart.png => C:\Users\Admin\Pictures\PopStart.png.wsaucby 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File renamed C:\Users\Admin\Pictures\SelectUnlock.tif => C:\Users\Admin\Pictures\SelectUnlock.tif.wsaucby 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File renamed C:\Users\Admin\Pictures\StepRestart.raw => C:\Users\Admin\Pictures\StepRestart.raw.wsaucby 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File renamed C:\Users\Admin\Pictures\UninstallEnable.png => C:\Users\Admin\Pictures\UninstallEnable.png.wsaucby 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File renamed C:\Users\Admin\Pictures\BackupUnpublish.raw => C:\Users\Admin\Pictures\BackupUnpublish.raw.wsaucby 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Drops startup file 2 IoCs
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WSAUCBY-DECRYPT.txt 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\a7e53648a7e531a222.lock 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription ioc process File opened (read-only) \??\I: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\L: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\P: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\X: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\H: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\B: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\S: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\T: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\U: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\V: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\A: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\K: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\M: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\N: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\Q: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\W: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\Y: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\E: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\G: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\J: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\O: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\R: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\Z: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened (read-only) \??\F: 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Drops file in Program Files directory 18 IoCs
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription ioc process File opened for modification C:\Program Files\MountSet.odt 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\NewWatch.ini 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\PublishExpand.AAC 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\ReadUnregister.otf 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File created C:\Program Files (x86)\WSAUCBY-DECRYPT.txt 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File created C:\Program Files\WSAUCBY-DECRYPT.txt 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\ImportConfirm.jpg 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\RestartCopy.doc 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\WaitClose.xhtml 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\DebugRename.txt 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\UnpublishUse.wma 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File created C:\Program Files\a7e53648a7e531a222.lock 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\InitializeComplete.aifc 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\PopEnable.wma 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\RequestRemove.mhtml 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\StopComplete.avi 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File created C:\Program Files (x86)\a7e53648a7e531a222.lock 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe File opened for modification C:\Program Files\ConvertToDisable.svgz 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exepid process 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 704 wmic.exe Token: SeSecurityPrivilege 704 wmic.exe Token: SeTakeOwnershipPrivilege 704 wmic.exe Token: SeLoadDriverPrivilege 704 wmic.exe Token: SeSystemProfilePrivilege 704 wmic.exe Token: SeSystemtimePrivilege 704 wmic.exe Token: SeProfSingleProcessPrivilege 704 wmic.exe Token: SeIncBasePriorityPrivilege 704 wmic.exe Token: SeCreatePagefilePrivilege 704 wmic.exe Token: SeBackupPrivilege 704 wmic.exe Token: SeRestorePrivilege 704 wmic.exe Token: SeShutdownPrivilege 704 wmic.exe Token: SeDebugPrivilege 704 wmic.exe Token: SeSystemEnvironmentPrivilege 704 wmic.exe Token: SeRemoteShutdownPrivilege 704 wmic.exe Token: SeUndockPrivilege 704 wmic.exe Token: SeManageVolumePrivilege 704 wmic.exe Token: 33 704 wmic.exe Token: 34 704 wmic.exe Token: 35 704 wmic.exe Token: 36 704 wmic.exe Token: SeIncreaseQuotaPrivilege 704 wmic.exe Token: SeSecurityPrivilege 704 wmic.exe Token: SeTakeOwnershipPrivilege 704 wmic.exe Token: SeLoadDriverPrivilege 704 wmic.exe Token: SeSystemProfilePrivilege 704 wmic.exe Token: SeSystemtimePrivilege 704 wmic.exe Token: SeProfSingleProcessPrivilege 704 wmic.exe Token: SeIncBasePriorityPrivilege 704 wmic.exe Token: SeCreatePagefilePrivilege 704 wmic.exe Token: SeBackupPrivilege 704 wmic.exe Token: SeRestorePrivilege 704 wmic.exe Token: SeShutdownPrivilege 704 wmic.exe Token: SeDebugPrivilege 704 wmic.exe Token: SeSystemEnvironmentPrivilege 704 wmic.exe Token: SeRemoteShutdownPrivilege 704 wmic.exe Token: SeUndockPrivilege 704 wmic.exe Token: SeManageVolumePrivilege 704 wmic.exe Token: 33 704 wmic.exe Token: 34 704 wmic.exe Token: 35 704 wmic.exe Token: 36 704 wmic.exe Token: SeBackupPrivilege 2364 vssvc.exe Token: SeRestorePrivilege 2364 vssvc.exe Token: SeAuditPrivilege 2364 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exedescription pid process target process PID 3064 wrote to memory of 704 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe wmic.exe PID 3064 wrote to memory of 704 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe wmic.exe PID 3064 wrote to memory of 704 3064 6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe"C:\Users\Admin\AppData\Local\Temp\6d291c12fdb7ded66cb67088bb2fc84a28b2f36f22a599cb9a03b41b02fe0540.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken