Analysis
-
max time kernel
137s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 23:29
Static task
static1
Behavioral task
behavioral1
Sample
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
Resource
win7-20220414-en
General
-
Target
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
-
Size
578KB
-
MD5
a3b368af763600c26c44d7cc3c0af571
-
SHA1
8e783c3279aaaac3653520bc519f4ea072846149
-
SHA256
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2
-
SHA512
69c64c9931344332db35ca12b25e4e95d7210f436332c452990e2d01ae1f54dc44d76e820e7d0990ba6649faf0670593af93ec54a757b054a918ea3af991c63e
Malware Config
Extracted
C:\ZBVXKT-DECRYPT.txt
http://gandcrabmfe6mnef.onion/d4401093f195500
Signatures
-
GandCrab Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1928-64-0x0000000000400000-0x0000000000428000-memory.dmp family_gandcrab behavioral1/memory/1928-67-0x0000000077400000-0x0000000077580000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File renamed C:\Users\Admin\Pictures\DebugSearch.tiff => C:\Users\Admin\Pictures\DebugSearch.tiff.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\EditRequest.raw => C:\Users\Admin\Pictures\EditRequest.raw.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\ResumeMerge.png => C:\Users\Admin\Pictures\ResumeMerge.png.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Users\Admin\Pictures\SyncPush.tiff 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\SyncPush.tiff => C:\Users\Admin\Pictures\SyncPush.tiff.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Users\Admin\Pictures\DebugSearch.tiff 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\LockReset.tif => C:\Users\Admin\Pictures\LockReset.tif.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\MeasureResume.crw => C:\Users\Admin\Pictures\MeasureResume.crw.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\RevokeJoin.png => C:\Users\Admin\Pictures\RevokeJoin.png.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\TestInitialize.png => C:\Users\Admin\Pictures\TestInitialize.png.zbvxkt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File opened (read-only) \??\F: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\K: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\R: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\X: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\Y: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\I: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\M: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\O: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\U: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\A: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\E: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\G: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\N: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\Z: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\Q: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\S: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\T: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\B: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\H: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\J: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\L: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\P: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\V: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\W: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription pid process target process PID 756 set thread context of 1928 756 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Drops file in Program Files directory 44 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File opened for modification C:\Program Files\UndoHide.dotx 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files\f1952e3f195500712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ConvertFromFind.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\GetExpand.jpg 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ImportCopy.tif 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ProtectStop.potm 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\PushInstall.mhtml 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\SearchGet.css 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ConfirmUnblock.M2T 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ConvertUnprotect.docx 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\InvokeResume.pub 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\OutInvoke.rmi 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ReceiveUnpublish.xml 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\RegisterSkip.htm 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\f1952e3f195500712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\AddSync.sql 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\DenySet.wav 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\EditUndo.fon 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\f1952e3f195500712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\CompleteJoin.zip 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ConvertToCopy.dxf 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\DenyShow.xml 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\WriteGroup.vb 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ZBVXKT-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files\ZBVXKT-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\PingRedo.7z 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\PopExport.dib 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\SuspendConfirm.iso 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f1952e3f195500712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\RevokeRestart.nfo 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f1952e3f195500712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ZBVXKT-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\AssertPop.3gp2 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ConnectExit.odt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\DisableRequest.vsw 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\DismountClear.xhtml 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\InstallRegister.dxf 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\PingRename.ram 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ShowReset.ps1 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\CloseFormat.emf 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\InvokeRename.pdf 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ReadDisable.xml 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\ZBVXKT-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ZBVXKT-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exepid process 1928 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 1928 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exepid process 756 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exepid process 1928 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription pid process target process PID 756 wrote to memory of 1928 756 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe PID 756 wrote to memory of 1928 756 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe PID 756 wrote to memory of 1928 756 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe PID 756 wrote to memory of 1928 756 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exeC:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-56-0x0000000000250000-0x0000000000258000-memory.dmpFilesize
32KB
-
memory/756-57-0x0000000075941000-0x0000000075943000-memory.dmpFilesize
8KB
-
memory/756-59-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1928-58-0x0000000000481827-mapping.dmp
-
memory/1928-64-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1928-67-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB
-
memory/1928-68-0x0000000077400000-0x0000000077580000-memory.dmpFilesize
1.5MB