Analysis
-
max time kernel
146s -
max time network
172s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 21:09
Static task
static1
Behavioral task
behavioral1
Sample
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe
Resource
win7-en-20211208
General
-
Target
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe
-
Size
139KB
-
MD5
31b0542612ddefde00c650fe828ccd35
-
SHA1
8f41756a09673187a297b64778c6b9c4b22c0b68
-
SHA256
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98
-
SHA512
77fa193c58f2af347ad8ddd9c96b6fb9d85615e1e550fc8d0f86ae08966388fe712908d23ca6b6b8552889a833877af161deba039e081e4ec439b0cf21473fe0
Malware Config
Extracted
C:\RYTNPBXQ-DECRYPT.txt
http://gandcrabmfe6mnef.onion/9ff5afccf6fec26a
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exedescription ioc process File renamed C:\Users\Admin\Pictures\PublishBackup.crw => C:\Users\Admin\Pictures\PublishBackup.crw.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File renamed C:\Users\Admin\Pictures\RemoveTrace.png => C:\Users\Admin\Pictures\RemoveTrace.png.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File renamed C:\Users\Admin\Pictures\ResetConnect.crw => C:\Users\Admin\Pictures\ResetConnect.crw.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Users\Admin\Pictures\SkipRename.tiff 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File renamed C:\Users\Admin\Pictures\SkipRename.tiff => C:\Users\Admin\Pictures\SkipRename.tiff.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File renamed C:\Users\Admin\Pictures\UnpublishAssert.png => C:\Users\Admin\Pictures\UnpublishAssert.png.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File renamed C:\Users\Admin\Pictures\BlockUnblock.tif => C:\Users\Admin\Pictures\BlockUnblock.tif.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File renamed C:\Users\Admin\Pictures\MoveResume.crw => C:\Users\Admin\Pictures\MoveResume.crw.rytnpbxq 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exedescription ioc process File opened (read-only) \??\L: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\M: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\N: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\A: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\H: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\I: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\J: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\K: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\S: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\U: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\Q: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\W: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\Z: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\T: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\V: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\Y: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\B: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\E: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\G: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\P: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\R: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\F: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\O: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened (read-only) \??\X: 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe -
Drops file in Program Files directory 47 IoCs
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exedescription ioc process File opened for modification C:\Program Files\DismountExpand.temp 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\PushAdd.css 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RedoDismount.M2V 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\SuspendShow.pot 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\UnprotectRestore.txt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RYTNPBXQ-DECRYPT.txt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\ApproveSkip.otf 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\HideRestart.wma 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RedoReceive.tiff 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RemoveCopy.m4v 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\UndoWrite.m4v 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\UnlockMerge.xht 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f6fec589f6fec26d214.lock 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RYTNPBXQ-DECRYPT.txt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\DismountSelect.png 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\MergeDismount.DVR 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RenameSwitch.vbe 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\RYTNPBXQ-DECRYPT.txt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\f6fec589f6fec26d214.lock 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f6fec589f6fec26d214.lock 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\DebugConvertFrom.vsw 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files\f6fec589f6fec26d214.lock 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\AddNew.tmp 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\DenyWrite.otf 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\ExportDisconnect.jtx 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\FindResume.tif 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\LimitPublish.001 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\MergeRevoke.emf 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files\RYTNPBXQ-DECRYPT.txt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RestartRedo.pot 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RestoreSplit.jfif 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\RevokePublish.odt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\UnblockCompress.js 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\ReceiveFormat.mov 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\ResolveUnprotect.wmv 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\SplitUnprotect.scf 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\PublishWait.jpeg 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\DismountUnpublish.crw 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\EditInvoke.dotm 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RYTNPBXQ-DECRYPT.txt 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\ConnectMount.css 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\ImportRestore.xps 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\UpdateStart.wmv 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\CheckpointRequest.TTS 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\SelectDebug.tif 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File created C:\Program Files (x86)\f6fec589f6fec26d214.lock 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe File opened for modification C:\Program Files\CompressShow.xls 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exepid process 1672 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe 1672 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1256 wmic.exe Token: SeSecurityPrivilege 1256 wmic.exe Token: SeTakeOwnershipPrivilege 1256 wmic.exe Token: SeLoadDriverPrivilege 1256 wmic.exe Token: SeSystemProfilePrivilege 1256 wmic.exe Token: SeSystemtimePrivilege 1256 wmic.exe Token: SeProfSingleProcessPrivilege 1256 wmic.exe Token: SeIncBasePriorityPrivilege 1256 wmic.exe Token: SeCreatePagefilePrivilege 1256 wmic.exe Token: SeBackupPrivilege 1256 wmic.exe Token: SeRestorePrivilege 1256 wmic.exe Token: SeShutdownPrivilege 1256 wmic.exe Token: SeDebugPrivilege 1256 wmic.exe Token: SeSystemEnvironmentPrivilege 1256 wmic.exe Token: SeRemoteShutdownPrivilege 1256 wmic.exe Token: SeUndockPrivilege 1256 wmic.exe Token: SeManageVolumePrivilege 1256 wmic.exe Token: 33 1256 wmic.exe Token: 34 1256 wmic.exe Token: 35 1256 wmic.exe Token: SeIncreaseQuotaPrivilege 1256 wmic.exe Token: SeSecurityPrivilege 1256 wmic.exe Token: SeTakeOwnershipPrivilege 1256 wmic.exe Token: SeLoadDriverPrivilege 1256 wmic.exe Token: SeSystemProfilePrivilege 1256 wmic.exe Token: SeSystemtimePrivilege 1256 wmic.exe Token: SeProfSingleProcessPrivilege 1256 wmic.exe Token: SeIncBasePriorityPrivilege 1256 wmic.exe Token: SeCreatePagefilePrivilege 1256 wmic.exe Token: SeBackupPrivilege 1256 wmic.exe Token: SeRestorePrivilege 1256 wmic.exe Token: SeShutdownPrivilege 1256 wmic.exe Token: SeDebugPrivilege 1256 wmic.exe Token: SeSystemEnvironmentPrivilege 1256 wmic.exe Token: SeRemoteShutdownPrivilege 1256 wmic.exe Token: SeUndockPrivilege 1256 wmic.exe Token: SeManageVolumePrivilege 1256 wmic.exe Token: 33 1256 wmic.exe Token: 34 1256 wmic.exe Token: 35 1256 wmic.exe Token: SeBackupPrivilege 1980 vssvc.exe Token: SeRestorePrivilege 1980 vssvc.exe Token: SeAuditPrivilege 1980 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exedescription pid process target process PID 1672 wrote to memory of 1256 1672 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe wmic.exe PID 1672 wrote to memory of 1256 1672 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe wmic.exe PID 1672 wrote to memory of 1256 1672 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe wmic.exe PID 1672 wrote to memory of 1256 1672 4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe"C:\Users\Admin\AppData\Local\Temp\4be2d7cc2d715d7e5b87eb21f0c984f4da961d63aec448c790800fc1f76f2b98.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1672-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB