Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 23:29
Static task
static1
Behavioral task
behavioral1
Sample
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
Resource
win7-20220414-en
General
-
Target
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
-
Size
578KB
-
MD5
a3b368af763600c26c44d7cc3c0af571
-
SHA1
8e783c3279aaaac3653520bc519f4ea072846149
-
SHA256
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2
-
SHA512
69c64c9931344332db35ca12b25e4e95d7210f436332c452990e2d01ae1f54dc44d76e820e7d0990ba6649faf0670593af93ec54a757b054a918ea3af991c63e
Malware Config
Extracted
C:\TERAJH-DECRYPT.txt
http://gandcrabmfe6mnef.onion/3cd64faaaba12900
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4700-139-0x0000000000400000-0x0000000000428000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportInitialize.raw => C:\Users\Admin\Pictures\ExportInitialize.raw.terajh 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Users\Admin\Pictures\OptimizeExport.tiff 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\OptimizeExport.tiff => C:\Users\Admin\Pictures\OptimizeExport.tiff.terajh 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\PublishEnable.crw => C:\Users\Admin\Pictures\PublishEnable.crw.terajh 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Users\Admin\Pictures\SkipSubmit.tiff 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\SkipSubmit.tiff => C:\Users\Admin\Pictures\SkipSubmit.tiff.terajh 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\DismountExport.png => C:\Users\Admin\Pictures\DismountExport.png.terajh 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File renamed C:\Users\Admin\Pictures\DismountWait.tif => C:\Users\Admin\Pictures\DismountWait.tif.terajh 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Drops startup file 2 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\TERAJH-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\aba12ee3aba12900712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File opened (read-only) \??\G: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\M: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\Q: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\T: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\W: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\H: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\K: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\Y: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\Z: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\F: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\N: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\O: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\U: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\V: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\X: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\P: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\R: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\A: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\B: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\E: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\I: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\J: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\L: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened (read-only) \??\S: 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{613C9DF3-0F27-4976-BDD0-355F6E810411}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D839468B-9EDB-472A-A012-C01F60D97824}.catalogItem svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription pid process target process PID 4736 set thread context of 4700 4736 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Drops file in Program Files directory 22 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription ioc process File opened for modification C:\Program Files\SearchReceive.potm 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files\TERAJH-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files\aba12ee3aba12900712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\BackupExport.jpeg 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\EditGet.eprtx 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\RequestPing.mp3 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\DenyRepair.wvx 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\MergeUnlock.mpeg2 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\RegisterApprove.mpeg3 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\SaveGrant.vsx 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\aba12ee3aba12900712.lock 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\SaveOpen.3gpp 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\UnlockConnect.tif 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\WriteRestart.xlsm 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ApproveImport.xls 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\AssertResize.001 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\JoinImport.m4v 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\LockComplete.jpg 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\RedoStart.png 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\ExpandComplete.aif 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File opened for modification C:\Program Files\StartRename.xlsb 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe File created C:\Program Files (x86)\TERAJH-DECRYPT.txt 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exepid process 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4028 wmic.exe Token: SeSecurityPrivilege 4028 wmic.exe Token: SeTakeOwnershipPrivilege 4028 wmic.exe Token: SeLoadDriverPrivilege 4028 wmic.exe Token: SeSystemProfilePrivilege 4028 wmic.exe Token: SeSystemtimePrivilege 4028 wmic.exe Token: SeProfSingleProcessPrivilege 4028 wmic.exe Token: SeIncBasePriorityPrivilege 4028 wmic.exe Token: SeCreatePagefilePrivilege 4028 wmic.exe Token: SeBackupPrivilege 4028 wmic.exe Token: SeRestorePrivilege 4028 wmic.exe Token: SeShutdownPrivilege 4028 wmic.exe Token: SeDebugPrivilege 4028 wmic.exe Token: SeSystemEnvironmentPrivilege 4028 wmic.exe Token: SeRemoteShutdownPrivilege 4028 wmic.exe Token: SeUndockPrivilege 4028 wmic.exe Token: SeManageVolumePrivilege 4028 wmic.exe Token: 33 4028 wmic.exe Token: 34 4028 wmic.exe Token: 35 4028 wmic.exe Token: 36 4028 wmic.exe Token: SeIncreaseQuotaPrivilege 4028 wmic.exe Token: SeSecurityPrivilege 4028 wmic.exe Token: SeTakeOwnershipPrivilege 4028 wmic.exe Token: SeLoadDriverPrivilege 4028 wmic.exe Token: SeSystemProfilePrivilege 4028 wmic.exe Token: SeSystemtimePrivilege 4028 wmic.exe Token: SeProfSingleProcessPrivilege 4028 wmic.exe Token: SeIncBasePriorityPrivilege 4028 wmic.exe Token: SeCreatePagefilePrivilege 4028 wmic.exe Token: SeBackupPrivilege 4028 wmic.exe Token: SeRestorePrivilege 4028 wmic.exe Token: SeShutdownPrivilege 4028 wmic.exe Token: SeDebugPrivilege 4028 wmic.exe Token: SeSystemEnvironmentPrivilege 4028 wmic.exe Token: SeRemoteShutdownPrivilege 4028 wmic.exe Token: SeUndockPrivilege 4028 wmic.exe Token: SeManageVolumePrivilege 4028 wmic.exe Token: 33 4028 wmic.exe Token: 34 4028 wmic.exe Token: 35 4028 wmic.exe Token: 36 4028 wmic.exe Token: SeBackupPrivilege 1396 vssvc.exe Token: SeRestorePrivilege 1396 vssvc.exe Token: SeAuditPrivilege 1396 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exepid process 4736 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exedescription pid process target process PID 4736 wrote to memory of 4700 4736 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe PID 4736 wrote to memory of 4700 4736 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe PID 4736 wrote to memory of 4700 4736 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe PID 4700 wrote to memory of 4028 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe wmic.exe PID 4700 wrote to memory of 4028 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe wmic.exe PID 4700 wrote to memory of 4028 4700 3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exeC:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"2⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4028-145-0x0000000000000000-mapping.dmp
-
memory/4700-133-0x0000000000000000-mapping.dmp
-
memory/4700-135-0x0000000077570000-0x0000000077713000-memory.dmpFilesize
1.6MB
-
memory/4700-139-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4700-142-0x0000000077570000-0x0000000077713000-memory.dmpFilesize
1.6MB
-
memory/4700-143-0x0000000077570000-0x0000000077713000-memory.dmpFilesize
1.6MB
-
memory/4700-144-0x0000000077570000-0x0000000077713000-memory.dmpFilesize
1.6MB
-
memory/4736-132-0x0000000002250000-0x0000000002258000-memory.dmpFilesize
32KB
-
memory/4736-134-0x0000000077570000-0x0000000077713000-memory.dmpFilesize
1.6MB