Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220414-en
General
-
Target
new.exe
-
Size
1MB
-
MD5
567bc0f1abc4493a0302f73f76d99fda
-
SHA1
287799cbe83a6ee7f811da3017081b589ff1d0ad
-
SHA256
d11d4506f4edca9f202a237d35f484ee02aa0579d886696385d16769c8eb21d0
-
SHA512
c45271cb1d9dff01267da34f625891172c50d8ae870bff7a7dbab1e509c12a43c89f7afbeb5b49009372ffadac6e0184a3f98ff08c6edaedb5a093bcc9af5294
Malware Config
Extracted
C:\MBCCKHP-DECRYPT.txt
http://gandcrabmfe6mnef.onion/1020258edde7f61a
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
wermgr.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnprotectUnlock.crw => C:\Users\Admin\Pictures\UnprotectUnlock.crw.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\DenyClear.crw => C:\Users\Admin\Pictures\DenyClear.crw.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\GroupCopy.crw => C:\Users\Admin\Pictures\GroupCopy.crw.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\SearchRevoke.png => C:\Users\Admin\Pictures\SearchRevoke.png.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\MountInvoke.png => C:\Users\Admin\Pictures\MountInvoke.png.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\ShowCopy.tif => C:\Users\Admin\Pictures\ShowCopy.tif.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\ConvertEnable.crw => C:\Users\Admin\Pictures\ConvertEnable.crw.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\CopyClear.png => C:\Users\Admin\Pictures\CopyClear.png.mbcckhp wermgr.exe File renamed C:\Users\Admin\Pictures\InitializeCompress.png => C:\Users\Admin\Pictures\InitializeCompress.png.mbcckhp wermgr.exe -
Drops startup file 2 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\MBCCKHP-DECRYPT.txt wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\dde7f1f9dde7f61911d.lock wermgr.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wermgr.exedescription ioc process File opened (read-only) \??\F: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\U: wermgr.exe File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\B: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\T: wermgr.exe File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\H: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\J: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\S: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\Z: wermgr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wermgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" wermgr.exe -
Drops file in Program Files directory 13 IoCs
Processes:
wermgr.exedescription ioc process File opened for modification C:\Program Files\GroupMerge.M2T wermgr.exe File opened for modification C:\Program Files\NewTest.xlsm wermgr.exe File opened for modification C:\Program Files\ResizeDisconnect.emz wermgr.exe File opened for modification C:\Program Files\StartConvertTo.aiff wermgr.exe File created C:\Program Files\MBCCKHP-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\EnterRedo.reg wermgr.exe File opened for modification C:\Program Files\FormatSet.tiff wermgr.exe File opened for modification C:\Program Files\RequestInstall.vsx wermgr.exe File opened for modification C:\Program Files\WatchEdit.mpg wermgr.exe File created C:\Program Files (x86)\MBCCKHP-DECRYPT.txt wermgr.exe File created C:\Program Files (x86)\dde7f1f9dde7f61911d.lock wermgr.exe File created C:\Program Files\dde7f1f9dde7f61911d.lock wermgr.exe File opened for modification C:\Program Files\ExpandUpdate.xps wermgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wermgr.exepid process 4348 wermgr.exe 4348 wermgr.exe 4348 wermgr.exe 4348 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: 36 1172 wmic.exe Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: 36 1172 wmic.exe Token: SeBackupPrivilege 4516 vssvc.exe Token: SeRestorePrivilege 4516 vssvc.exe Token: SeAuditPrivilege 4516 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
new.exewermgr.exedescription pid process target process PID 5016 wrote to memory of 4348 5016 new.exe wermgr.exe PID 5016 wrote to memory of 4348 5016 new.exe wermgr.exe PID 5016 wrote to memory of 4348 5016 new.exe wermgr.exe PID 5016 wrote to memory of 4348 5016 new.exe wermgr.exe PID 5016 wrote to memory of 4348 5016 new.exe wermgr.exe PID 4348 wrote to memory of 1172 4348 wermgr.exe wmic.exe PID 4348 wrote to memory of 1172 4348 wermgr.exe wmic.exe PID 4348 wrote to memory of 1172 4348 wermgr.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken