Analysis
-
max time kernel
192s -
max time network
207s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 19:34
Static task
static1
Behavioral task
behavioral1
Sample
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe
Resource
win10-en-20211208
General
-
Target
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe
-
Size
139KB
-
MD5
647ce0159d62ba5e42a1a1ee52c83ee6
-
SHA1
4e278e03ec67129d49e9c07c73749c0952dc62fd
-
SHA256
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107
-
SHA512
8061d68c2cefbf66ced0d1df7b518a8a64f8f3b6e8db7243754760f3291017e85f723d998749b5c851819703f2f33b9e2631495728ff53245f8899f1ee9832a8
Malware Config
Extracted
C:\ZVOUIEG-DECRYPT.txt
http://gandcrabmfe6mnef.onion/d5104ffaaece9ed0
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResetOut.tiff 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File renamed C:\Users\Admin\Pictures\ResetOut.tiff => C:\Users\Admin\Pictures\ResetOut.tiff.zvouieg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File renamed C:\Users\Admin\Pictures\ShowOpen.raw => C:\Users\Admin\Pictures\ShowOpen.raw.zvouieg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File renamed C:\Users\Admin\Pictures\WriteTest.raw => C:\Users\Admin\Pictures\WriteTest.raw.zvouieg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromImport.tiff 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File renamed C:\Users\Admin\Pictures\ConvertFromImport.tiff => C:\Users\Admin\Pictures\ConvertFromImport.tiff.zvouieg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File renamed C:\Users\Admin\Pictures\ExitSelect.raw => C:\Users\Admin\Pictures\ExitSelect.raw.zvouieg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File renamed C:\Users\Admin\Pictures\RepairRequest.crw => C:\Users\Admin\Pictures\RepairRequest.crw.zvouieg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe -
Drops startup file 2 IoCs
Processes:
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\aece9930aece9eda74.lock 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ZVOUIEG-DECRYPT.txt 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exedescription ioc process File opened (read-only) \??\T: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\V: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\B: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\J: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\L: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\O: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\R: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\U: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\Y: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\A: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\G: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\I: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\M: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\S: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\W: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\X: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\E: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\H: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\K: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\N: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\P: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\Q: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\Z: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened (read-only) \??\F: 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe -
Drops file in Program Files directory 32 IoCs
Processes:
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exedescription ioc process File created C:\Program Files (x86)\aece9930aece9eda74.lock 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\OpenDismount.m4v 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\ExpandEnter.jpg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\FormatSend.vbe 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\ReadRename.pub 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\ResolvePush.ppt 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\SearchSync.mp2v 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\CompleteUnregister.svg 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\GetWait.pub 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\LimitMove.jtx 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\RequestBackup.ttf 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\StartResolve.3gp2 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File created C:\Program Files\aece9930aece9eda74.lock 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\ProtectFormat.dxf 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\RenameDisable.avi 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\ResolveSet.contact 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\SkipRequest.dotm 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\CompleteRequest.3gp2 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\CloseTest.mp3 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\InitializeAssert.vssm 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File created C:\Program Files\ZVOUIEG-DECRYPT.txt 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\OptimizeSave.eprtx 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\SplitExpand.pub 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\SwitchImport.hta 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\MountGrant.vbe 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\LockConfirm.xlsx 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\MergeUnregister.mpv2 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\SetReset.png 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\UseRename.wmf 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File created C:\Program Files (x86)\ZVOUIEG-DECRYPT.txt 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\GetCompress.doc 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe File opened for modification C:\Program Files\HideRestart.mpp 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exepid process 2948 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe 2948 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe 2948 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe 2948 94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe"C:\Users\Admin\AppData\Local\Temp\94e829c84786c6a10a7552d591a08b577921d6d6b8942a48cac2a3cbdfef8107.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses