Analysis
-
max time kernel
24s -
max time network
29s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220414-en
General
-
Target
new.exe
-
Size
1.8MB
-
MD5
8403bb69eae17501273aee13975187cd
-
SHA1
339f17f5fa257ff7f274f9b765e416645564f8c6
-
SHA256
c7f88943301b4e6fdc6f2823932b3d5d7d24a40e114e1399e5c42c4d18b2aed9
-
SHA512
4aff32fbb1aaba3eb87b06d59aa48a53d279eddae71c547459b60d13a7bd9005a6fd38396476b1af4fc511c6ff24be3f2502200b51cc30a4a7b3db18f0f209cd
Malware Config
Extracted
C:\SIYWRZTS-DECRYPT.txt
http://gandcrabmfe6mnef.onion/234ab49c3636cc56
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
wermgr.exedescription ioc process File renamed C:\Users\Admin\Pictures\UpdateJoin.png => C:\Users\Admin\Pictures\UpdateJoin.png.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\DenyAdd.crw => C:\Users\Admin\Pictures\DenyAdd.crw.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\EditStart.tiff => C:\Users\Admin\Pictures\EditStart.tiff.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\GrantUninstall.tif => C:\Users\Admin\Pictures\GrantUninstall.tif.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\GetOptimize.crw => C:\Users\Admin\Pictures\GetOptimize.crw.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\InstallBackup.raw => C:\Users\Admin\Pictures\InstallBackup.raw.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\BackupApprove.raw => C:\Users\Admin\Pictures\BackupApprove.raw.siywrzts wermgr.exe File renamed C:\Users\Admin\Pictures\CompressSwitch.tif => C:\Users\Admin\Pictures\CompressSwitch.tif.siywrzts wermgr.exe File opened for modification C:\Users\Admin\Pictures\EditStart.tiff wermgr.exe -
Drops startup file 2 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\SIYWRZTS-DECRYPT.txt wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\3636cbb53636cc5511d.lock wermgr.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wermgr.exedescription ioc process File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\J: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\S: wermgr.exe File opened (read-only) \??\T: wermgr.exe File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\F: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\U: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\Z: wermgr.exe File opened (read-only) \??\B: wermgr.exe File opened (read-only) \??\H: wermgr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wermgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" wermgr.exe -
Drops file in Program Files directory 27 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Program Files (x86)\SIYWRZTS-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\AddDisable.ppt wermgr.exe File opened for modification C:\Program Files\MountDisconnect.cr2 wermgr.exe File opened for modification C:\Program Files\ShowClose.aifc wermgr.exe File opened for modification C:\Program Files\SplitImport.emf wermgr.exe File created C:\Program Files\SIYWRZTS-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\ProtectUnprotect.vsd wermgr.exe File opened for modification C:\Program Files\RenameUnblock.ppsm wermgr.exe File opened for modification C:\Program Files\SaveClose.mp3 wermgr.exe File created C:\Program Files (x86)\3636cbb53636cc5511d.lock wermgr.exe File opened for modification C:\Program Files\UnpublishUndo.pps wermgr.exe File opened for modification C:\Program Files\WatchLimit.mp4 wermgr.exe File opened for modification C:\Program Files\SelectSplit.wmx wermgr.exe File opened for modification C:\Program Files\ClearRestore.zip wermgr.exe File opened for modification C:\Program Files\RevokeConvert.M2TS wermgr.exe File opened for modification C:\Program Files\RevokeSave.pptx wermgr.exe File opened for modification C:\Program Files\SkipAdd.mp4 wermgr.exe File opened for modification C:\Program Files\InstallPublish.M2T wermgr.exe File opened for modification C:\Program Files\LockAdd.docx wermgr.exe File opened for modification C:\Program Files\PublishReset.search-ms wermgr.exe File opened for modification C:\Program Files\SearchPop.ppsm wermgr.exe File created C:\Program Files\3636cbb53636cc5511d.lock wermgr.exe File opened for modification C:\Program Files\BackupGroup.3g2 wermgr.exe File opened for modification C:\Program Files\CompleteDeny.M2TS wermgr.exe File opened for modification C:\Program Files\EnableResume.wpl wermgr.exe File opened for modification C:\Program Files\EnterLock.m1v wermgr.exe File opened for modification C:\Program Files\SaveExpand.eprtx wermgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wermgr.exepid process 3948 wermgr.exe 3948 wermgr.exe 3948 wermgr.exe 3948 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4796 wmic.exe Token: SeSecurityPrivilege 4796 wmic.exe Token: SeTakeOwnershipPrivilege 4796 wmic.exe Token: SeLoadDriverPrivilege 4796 wmic.exe Token: SeSystemProfilePrivilege 4796 wmic.exe Token: SeSystemtimePrivilege 4796 wmic.exe Token: SeProfSingleProcessPrivilege 4796 wmic.exe Token: SeIncBasePriorityPrivilege 4796 wmic.exe Token: SeCreatePagefilePrivilege 4796 wmic.exe Token: SeBackupPrivilege 4796 wmic.exe Token: SeRestorePrivilege 4796 wmic.exe Token: SeShutdownPrivilege 4796 wmic.exe Token: SeDebugPrivilege 4796 wmic.exe Token: SeSystemEnvironmentPrivilege 4796 wmic.exe Token: SeRemoteShutdownPrivilege 4796 wmic.exe Token: SeUndockPrivilege 4796 wmic.exe Token: SeManageVolumePrivilege 4796 wmic.exe Token: 33 4796 wmic.exe Token: 34 4796 wmic.exe Token: 35 4796 wmic.exe Token: 36 4796 wmic.exe Token: SeIncreaseQuotaPrivilege 4796 wmic.exe Token: SeSecurityPrivilege 4796 wmic.exe Token: SeTakeOwnershipPrivilege 4796 wmic.exe Token: SeLoadDriverPrivilege 4796 wmic.exe Token: SeSystemProfilePrivilege 4796 wmic.exe Token: SeSystemtimePrivilege 4796 wmic.exe Token: SeProfSingleProcessPrivilege 4796 wmic.exe Token: SeIncBasePriorityPrivilege 4796 wmic.exe Token: SeCreatePagefilePrivilege 4796 wmic.exe Token: SeBackupPrivilege 4796 wmic.exe Token: SeRestorePrivilege 4796 wmic.exe Token: SeShutdownPrivilege 4796 wmic.exe Token: SeDebugPrivilege 4796 wmic.exe Token: SeSystemEnvironmentPrivilege 4796 wmic.exe Token: SeRemoteShutdownPrivilege 4796 wmic.exe Token: SeUndockPrivilege 4796 wmic.exe Token: SeManageVolumePrivilege 4796 wmic.exe Token: 33 4796 wmic.exe Token: 34 4796 wmic.exe Token: 35 4796 wmic.exe Token: 36 4796 wmic.exe Token: SeBackupPrivilege 4808 vssvc.exe Token: SeRestorePrivilege 4808 vssvc.exe Token: SeAuditPrivilege 4808 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
new.exewermgr.exedescription pid process target process PID 3136 wrote to memory of 3948 3136 new.exe wermgr.exe PID 3136 wrote to memory of 3948 3136 new.exe wermgr.exe PID 3136 wrote to memory of 3948 3136 new.exe wermgr.exe PID 3136 wrote to memory of 3948 3136 new.exe wermgr.exe PID 3136 wrote to memory of 3948 3136 new.exe wermgr.exe PID 3948 wrote to memory of 4796 3948 wermgr.exe wmic.exe PID 3948 wrote to memory of 4796 3948 wermgr.exe wmic.exe PID 3948 wrote to memory of 4796 3948 wermgr.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken