Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 21:10
Static task
static1
Behavioral task
behavioral1
Sample
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe
Resource
win10-en-20211208
General
-
Target
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe
-
Size
139KB
-
MD5
24275604649ac0abafe99b981b914fbc
-
SHA1
818b0e3018ad27be9887e9e5f4ef1971f422652c
-
SHA256
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749
-
SHA512
008ef045724963d6ae3b845a6c3de8ebb6682b0f4b8ea77c2d35e2193596b78f0092183de0a88a34f7dde4e71abbc129b2f0f00fd8469801fff66f1b8390b6c8
Malware Config
Extracted
C:\ANEIQINBWA-DECRYPT.txt
http://gandcrabmfe6mnef.onion/e0a0248f202c7c5c
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File renamed C:\Users\Admin\Pictures\InvokeUnblock.tif => C:\Users\Admin\Pictures\InvokeUnblock.tif.aneiqinbwa 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File renamed C:\Users\Admin\Pictures\RevokeEnter.tif => C:\Users\Admin\Pictures\RevokeEnter.tif.aneiqinbwa 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File opened (read-only) \??\J: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\M: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\N: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\P: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\S: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\Z: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\I: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\G: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\Q: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\T: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\U: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\B: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\F: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\K: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\R: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\V: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\W: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\X: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\A: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\H: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\L: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\O: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\Y: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened (read-only) \??\E: 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Drops file in Program Files directory 25 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process File opened for modification C:\Program Files\DismountDisable.wax 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\InitializeEnable.ttc 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ReceiveEnable.vsdm 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\RedoDebug.xlsx 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\RemoveStop.mpeg2 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\SyncExit.wma 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\ANEIQINBWA-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\202c7bbf202c7c5b214.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\202c7bbf202c7c5b214.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ANEIQINBWA-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\202c7bbf202c7c5b214.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ClearStep.docm 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\202c7bbf202c7c5b214.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files\202c7bbf202c7c5b214.lock 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\AssertResume.gif 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ConvertToRead.vsd 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ConvertToTrace.wmf 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\DebugUnlock.odp 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\MergeInitialize.php 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ResolveOpen.wdp 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ANEIQINBWA-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files\ANEIQINBWA-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\DenyDisconnect.midi 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File opened for modification C:\Program Files\ExitAdd.midi 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ANEIQINBWA-DECRYPT.txt 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exepid process 1584 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe 1584 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1136 wmic.exe Token: SeSecurityPrivilege 1136 wmic.exe Token: SeTakeOwnershipPrivilege 1136 wmic.exe Token: SeLoadDriverPrivilege 1136 wmic.exe Token: SeSystemProfilePrivilege 1136 wmic.exe Token: SeSystemtimePrivilege 1136 wmic.exe Token: SeProfSingleProcessPrivilege 1136 wmic.exe Token: SeIncBasePriorityPrivilege 1136 wmic.exe Token: SeCreatePagefilePrivilege 1136 wmic.exe Token: SeBackupPrivilege 1136 wmic.exe Token: SeRestorePrivilege 1136 wmic.exe Token: SeShutdownPrivilege 1136 wmic.exe Token: SeDebugPrivilege 1136 wmic.exe Token: SeSystemEnvironmentPrivilege 1136 wmic.exe Token: SeRemoteShutdownPrivilege 1136 wmic.exe Token: SeUndockPrivilege 1136 wmic.exe Token: SeManageVolumePrivilege 1136 wmic.exe Token: 33 1136 wmic.exe Token: 34 1136 wmic.exe Token: 35 1136 wmic.exe Token: SeIncreaseQuotaPrivilege 1136 wmic.exe Token: SeSecurityPrivilege 1136 wmic.exe Token: SeTakeOwnershipPrivilege 1136 wmic.exe Token: SeLoadDriverPrivilege 1136 wmic.exe Token: SeSystemProfilePrivilege 1136 wmic.exe Token: SeSystemtimePrivilege 1136 wmic.exe Token: SeProfSingleProcessPrivilege 1136 wmic.exe Token: SeIncBasePriorityPrivilege 1136 wmic.exe Token: SeCreatePagefilePrivilege 1136 wmic.exe Token: SeBackupPrivilege 1136 wmic.exe Token: SeRestorePrivilege 1136 wmic.exe Token: SeShutdownPrivilege 1136 wmic.exe Token: SeDebugPrivilege 1136 wmic.exe Token: SeSystemEnvironmentPrivilege 1136 wmic.exe Token: SeRemoteShutdownPrivilege 1136 wmic.exe Token: SeUndockPrivilege 1136 wmic.exe Token: SeManageVolumePrivilege 1136 wmic.exe Token: 33 1136 wmic.exe Token: 34 1136 wmic.exe Token: 35 1136 wmic.exe Token: SeBackupPrivilege 1144 vssvc.exe Token: SeRestorePrivilege 1144 vssvc.exe Token: SeAuditPrivilege 1144 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exedescription pid process target process PID 1584 wrote to memory of 1136 1584 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe PID 1584 wrote to memory of 1136 1584 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe PID 1584 wrote to memory of 1136 1584 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe PID 1584 wrote to memory of 1136 1584 4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe"C:\Users\Admin\AppData\Local\Temp\4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144