Analysis
-
max time kernel
149s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 19:37
Static task
static1
Behavioral task
behavioral1
Sample
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe
Resource
win7-en-20211208
General
-
Target
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe
-
Size
139KB
-
MD5
04f2a82387c8e503f655921da892cf9c
-
SHA1
34c4ddb4d5d3bb0fce0651d9c44c21d2dbc01ac3
-
SHA256
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f
-
SHA512
ec5feba51522a701a66541aa1c3d0ffe172ac9d02ccf8eacbdc63692a52a9b8aa92093e2d22c525e72e4ce3762256275bd9dd38234f594d8231c5691d95630c2
Malware Config
Extracted
C:\AUSVIQV-DECRYPT.txt
http://gandcrabmfe6mnef.onion/540dc5b58efcd0f2
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exedescription ioc process File renamed C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File renamed C:\Users\Admin\Pictures\RestorePublish.png => C:\Users\Admin\Pictures\RestorePublish.png.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File renamed C:\Users\Admin\Pictures\UnlockEnter.tif => C:\Users\Admin\Pictures\UnlockEnter.tif.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File renamed C:\Users\Admin\Pictures\UnpublishEnter.png => C:\Users\Admin\Pictures\UnpublishEnter.png.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File renamed C:\Users\Admin\Pictures\BlockDisable.tif => C:\Users\Admin\Pictures\BlockDisable.tif.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File renamed C:\Users\Admin\Pictures\BlockUnpublish.raw => C:\Users\Admin\Pictures\BlockUnpublish.raw.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File renamed C:\Users\Admin\Pictures\CompressRepair.raw => C:\Users\Admin\Pictures\CompressRepair.raw.ausviqv 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Users\Admin\Pictures\InvokeSelect.tiff 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exedescription ioc process File opened (read-only) \??\A: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\H: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\K: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\M: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\O: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\S: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\W: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\Y: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\E: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\F: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\G: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\I: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\J: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\N: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\P: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\R: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\U: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\V: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\Z: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\B: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\L: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\Q: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\T: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened (read-only) \??\X: 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe -
Drops file in Program Files directory 34 IoCs
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\AUSVIQV-DECRYPT.txt 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\8efcd7118efcd0f5214.lock 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\ConvertFromSet.M2T 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\8efcd7118efcd0f5214.lock 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AUSVIQV-DECRYPT.txt 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\8efcd7118efcd0f5214.lock 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\ClearExport.mht 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\SkipRestore.mpe 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\ProtectSkip.eprtx 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\RestartPop.mpg 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\SearchSelect.xht 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files\8efcd7118efcd0f5214.lock 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\CompressSuspend.ini 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\StepGrant.svgz 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\UnregisterUse.crw 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\8efcd7118efcd0f5214.lock 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\EnterUndo.xsl 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\ReadTrace.ps1 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\AUSVIQV-DECRYPT.txt 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\CompleteSelect.dxf 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\ImportInitialize.ps1xml 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\MergeResume.wma 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\SplitWait.emf 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\UninstallUnprotect.cfg 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files\AUSVIQV-DECRYPT.txt 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\InstallDeny.contact 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\FindWrite.xhtml 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\InvokeRequest.mov 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\RegisterReceive.svgz 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File created C:\Program Files (x86)\AUSVIQV-DECRYPT.txt 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\CompressBackup.vb 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\DisableCompare.rar 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\RedoCopy.wdp 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe File opened for modification C:\Program Files\SaveExit.doc 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exepid process 1388 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe 1388 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1164 wmic.exe Token: SeSecurityPrivilege 1164 wmic.exe Token: SeTakeOwnershipPrivilege 1164 wmic.exe Token: SeLoadDriverPrivilege 1164 wmic.exe Token: SeSystemProfilePrivilege 1164 wmic.exe Token: SeSystemtimePrivilege 1164 wmic.exe Token: SeProfSingleProcessPrivilege 1164 wmic.exe Token: SeIncBasePriorityPrivilege 1164 wmic.exe Token: SeCreatePagefilePrivilege 1164 wmic.exe Token: SeBackupPrivilege 1164 wmic.exe Token: SeRestorePrivilege 1164 wmic.exe Token: SeShutdownPrivilege 1164 wmic.exe Token: SeDebugPrivilege 1164 wmic.exe Token: SeSystemEnvironmentPrivilege 1164 wmic.exe Token: SeRemoteShutdownPrivilege 1164 wmic.exe Token: SeUndockPrivilege 1164 wmic.exe Token: SeManageVolumePrivilege 1164 wmic.exe Token: 33 1164 wmic.exe Token: 34 1164 wmic.exe Token: 35 1164 wmic.exe Token: SeIncreaseQuotaPrivilege 1164 wmic.exe Token: SeSecurityPrivilege 1164 wmic.exe Token: SeTakeOwnershipPrivilege 1164 wmic.exe Token: SeLoadDriverPrivilege 1164 wmic.exe Token: SeSystemProfilePrivilege 1164 wmic.exe Token: SeSystemtimePrivilege 1164 wmic.exe Token: SeProfSingleProcessPrivilege 1164 wmic.exe Token: SeIncBasePriorityPrivilege 1164 wmic.exe Token: SeCreatePagefilePrivilege 1164 wmic.exe Token: SeBackupPrivilege 1164 wmic.exe Token: SeRestorePrivilege 1164 wmic.exe Token: SeShutdownPrivilege 1164 wmic.exe Token: SeDebugPrivilege 1164 wmic.exe Token: SeSystemEnvironmentPrivilege 1164 wmic.exe Token: SeRemoteShutdownPrivilege 1164 wmic.exe Token: SeUndockPrivilege 1164 wmic.exe Token: SeManageVolumePrivilege 1164 wmic.exe Token: 33 1164 wmic.exe Token: 34 1164 wmic.exe Token: 35 1164 wmic.exe Token: SeBackupPrivilege 296 vssvc.exe Token: SeRestorePrivilege 296 vssvc.exe Token: SeAuditPrivilege 296 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exedescription pid process target process PID 1388 wrote to memory of 1164 1388 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe wmic.exe PID 1388 wrote to memory of 1164 1388 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe wmic.exe PID 1388 wrote to memory of 1164 1388 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe wmic.exe PID 1388 wrote to memory of 1164 1388 92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe"C:\Users\Admin\AppData\Local\Temp\92aadeb4fb086bc672e28de288ab684990d4efbd43cdd94380037e4990a14b3f.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1388-55-0x00000000758A1000-0x00000000758A3000-memory.dmpFilesize
8KB