Overview

overview

10

Static

static

3762ca8536...c2.exe

windows7_x64

10

3762ca8536...c2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe

  • Size

    578KB

  • MD5

    a3b368af763600c26c44d7cc3c0af571

  • SHA1

    8e783c3279aaaac3653520bc519f4ea072846149

  • SHA256

    3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2

  • SHA512

    69c64c9931344332db35ca12b25e4e95d7210f436332c452990e2d01ae1f54dc44d76e820e7d0990ba6649faf0670593af93ec54a757b054a918ea3af991c63e

Score
10/10
gandcrabbackdoorransomwarespywarestealersuricata

Malware Config

Extracted

Path

C:\TERAJH-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .TERAJH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/3cd64faaaba12900 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAP4+VS+tPsDKYgUBjxUAjzs3chEoUMoVunzGdg0ssl9ZjOuSBoFNCeSU6lvjIL71EQ1IRZexCxUJl+D68bRDILujwr0Vxxe9vcY48czKhFh0eK7LcS+Cbgsnx6P980fhysgnuCrJamRL3aTemJJ2WTSHYTVg0/NtKVNzQoPW6v9+nX5DNFlIr4/JtXrO4ZL7DMaljK2FU7xiVuz8xrZ2Zj7FbJkhsQijG3MF9p4zT/KqlveZOc/SbPErXqIVlXfpLINKeUAgZYigxtorpluxUJK4OZ1xWkINcl8ZdmCDiHIVg/nMQ39GlEBimZURViDJqBjUI/vL8EshGT2imRCq/kOL9dRDbA6sdE0bhEPB91R0VxTbBncy11Tb/4kyIt2kL9LMWTf5U1vPPTuGMAzseKSQ1vR4v9zbvXnkFjasoNixg9QYYZWryAiVf6eI0ctqLTgr0wFRy2lGE1PLajY5yMUjXuINEREjypr+LW+0nr+FWA043fZRannhX1j4fiSJiWUx5zpQZ8Y6a6a39TDkxv1iCrMRKWzqJGl3fEhBVbkqzQGrG2mkGdGLp4Ven6dJ7fNQ2Ob8qYvo659aydyzuQnZiodBnPWu81LJntsShE2wQKrQZZMtx9r4SdOvkBlT/8M6+Pl1h04HfH1TjN3bjLbHRlq0IyWWLQ+CxPtb89ae4cp0u4gwR3FDO7N3uayhhjAEwBacHQfoVEArh81P5/sO5eP3kmqj0kqkM7k1I3V5y9JaFbZL6SoftWCgzZzsycuC1MRsE65rI58kaWOt064uk7q2+KG5i9zQrUxhxmpQtk0O9fEbgm/uQb7jXBn0reL2gPglM79suTR7o7GgO6VtMssGMvwIDMVKY30kz+S7Kecbys8P2ZfNP9kqCsnUkaqpOEMIHI249WcT/2qB05pDs6oES0OWJ+FehH23KgFRurUxdYNmsba+M7oJFyfgu38fYs1tGxsfYXYG7wdZWpFDdGTvCMtXrvo5rEjE91NHFynSeqRKR57tGkSV7qE1CWTUBvf20753sx3/hcBLblhoSmNAAbkpGM0qxuk4IlwGOUlIuVZCjxEe9A2YvuRREae+GpCf8GiNPkkkmglEkyYbuMQ24VaduCTJD8a/MgSjmfkhCoG6lhqiVf95coaeOvWHTnhakAevuVhB06xTCkLpzHlZMdQZJZz2KYB0po6VInidgw2DCrfjm3FHBLvdAdqpE8M8vhx6QjqX6Hu3FVxP685gDfD0OWhKm4kkHLdtCXKUqTfo4u8vHJ1abLIpDWbIrhZ1Tt14G9CjiU9XPRH9Qb1njR+gFbWt1ych+lE59bOD1clbGTV5+b6uqUf0n9YacXLMEXqiYRn/F27wuqes5DByE42Sq0OmscjIRF9n5GRoRsIRRVVfSl4xoaaMszUC0zHgvigvFJZzP6BAHzqPqZeWAt7qLYyUlqO1AlFo07yL/jhtBwab3zfx1Sv1w3z4Z/GxLwjHqwmPP/m2+trP4Cz1+RPlmQsdBtE0f/dLkjn+wNDdOjX1b2YAG3fDiu7pOYq1uSo7stIogCag4qvKqDc2Ziy5qesBzUmLU9e/6sO0r+EXDd+AMgiH5LOFAWWVdnABxHtR4fsByHMy/mbCYrGpAc0fAEyg1WSoBgoV935gXlRAsxLsZ1dzkx5vPCK9hrXQq0wqxoUJC0+Vhox1Gn8S6ebzz65fxOEvMFLnEOqBCdNFVSdyj3TeiHehnG9942nkdGIT9zYZcg4orEVXbVK7eaDFNeiOOcfKWbPdtFtYQllR1r3eWxM57MzmFxjOMnfu0oxGfDK1reGHCLJbkDDwI03G9DH6M6qFMf1EMwlwF/eY9+/sdTlhf9bd09jHAH8UMyYlVC2QeVudbI4g3mBvjQiR+wG8Jeiv63h4dB8y4PSBCthvNf/FIwFD5UFia7ucowUzGfkgqfmWSxvjajO5fPipq6Dhgyqr8hsZ1TXi/KNt5f7gP/3JZXPYmIg2v20eDO/Ztd02TcIOu1ydeW/NTb3p/O7XM99v86PwutySAki9cIWg1vAYEIdgx9KxJBKso4JHVA1lYWQ/rPqsh29xwLW5DGjtOUGMuM/jdORtNFrxP31029xHjufqJeZfBZ1110LnrP63DEzKEOppA2H4D+9fk+tpv/tU06gbI9I/rcoOR4VhqUptI8AVx6eT0ngGb8kaLXFg433RfHfW/A/4Xo/BXheUKWuKmCYytWwna7zhf9WRF3UagGehvln+Q1I= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZRToRRtnYT7mpWtbfBTGOHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4+L3/zI2F+siGo1YPVrSBnbt/xGHEdgboycb4tm4O6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoAxPMnKo+DO5eAL2fjmE0g6RrIQ3vxBFKwg7yZizpCRFF3vPLMuaq1w8ZMXQRRleKajmI1gXgeX8MmUHfnCzkQQpn2LJ8lqCwsnJaVYPpezf0fBAcasAlPyNNwH8VQyjChKYcEu7tKUi2BYlMc5HxHowOLb+dRZ0P/YkhV/3u67ObzJf9ZHZZhw== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/3cd64faaaba12900

Signatures

  • GandCrab Payload 1 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

    suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

    suricata
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
    "C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe
      C:\Users\Admin\AppData\Local\Temp\3762ca85366b8de1144bb00e5d38107313b71018cf85735936af9c14a3eaa2c2.exe"
      2⤵
      • Modifies extensions of user files
      • Checks computer location settings
      • Drops startup file
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1396
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4028-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4700-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4700-135-0x0000000077570000-0x0000000077713000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4700-139-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4700-142-0x0000000077570000-0x0000000077713000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4700-143-0x0000000077570000-0x0000000077713000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4700-144-0x0000000077570000-0x0000000077713000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4736-132-0x0000000002250000-0x0000000002258000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4736-134-0x0000000077570000-0x0000000077713000-memory.dmp
    Filesize

    1.6MB

    Download