Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
Resource
win10v2004-20220414-en
General
-
Target
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
-
Size
86KB
-
MD5
eb1a9bab2d88be9722845fc808ce0a68
-
SHA1
a9ac457e97984eec3350ced0976f5923f56e4f53
-
SHA256
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65
-
SHA512
f8165a0a287274c8d8345714c4bdb2a9833e96e6f4173d1b164db4dc8912f0c537018a8ee090afcd99eba575121f8ee05501b7baeae3f5aaade6ad9777299ddc
Malware Config
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4380-133-0x000000000F980000-0x000000000F99B000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\vSQshX.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\vSQshX.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
vSQshX.exepid process 2488 vSQshX.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vSQshX.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation vSQshX.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ekuupyfpeue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe" 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe -
Drops file in Program Files directory 64 IoCs
Processes:
vSQshX.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe vSQshX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe vSQshX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe vSQshX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE vSQshX.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe vSQshX.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe vSQshX.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe vSQshX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe vSQshX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE vSQshX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe vSQshX.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe vSQshX.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe vSQshX.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE vSQshX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe vSQshX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe vSQshX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe vSQshX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe vSQshX.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe vSQshX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe vSQshX.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe vSQshX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe vSQshX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe vSQshX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe vSQshX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE vSQshX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3404 4380 WerFault.exe 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exepid process 4380 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe 4380 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exevSQshX.exedescription pid process target process PID 4380 wrote to memory of 2488 4380 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe vSQshX.exe PID 4380 wrote to memory of 2488 4380 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe vSQshX.exe PID 4380 wrote to memory of 2488 4380 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe vSQshX.exe PID 2488 wrote to memory of 5060 2488 vSQshX.exe cmd.exe PID 2488 wrote to memory of 5060 2488 vSQshX.exe cmd.exe PID 2488 wrote to memory of 5060 2488 vSQshX.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe"C:\Users\Admin\AppData\Local\Temp\3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe"1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vSQshX.exeC:\Users\Admin\AppData\Local\Temp\vSQshX.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\321a1a74.bat" "3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 3642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4380 -ip 43801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\321a1a74.batFilesize
187B
MD5c07253fc4a99197485110750a3757c2f
SHA1171084922e9879132fafca628b86613b25fd9777
SHA2565f45e30e023d7253a715e043326d9867efb6d210d831cabdeefbc97f875b4efa
SHA512df600e6e11c1e34fe60b1f47ef16da38aff9c6da1ef5a880ec9aab9e15262d428d657f590de11d5c82e3dac6004085b8daa6802d61499eed3d6ce84caee9b372
-
C:\Users\Admin\AppData\Local\Temp\vSQshX.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\vSQshX.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/2488-130-0x0000000000000000-mapping.dmp
-
memory/2488-134-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/2488-135-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/2488-137-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/4380-133-0x000000000F980000-0x000000000F99B000-memory.dmpFilesize
108KB
-
memory/5060-136-0x0000000000000000-mapping.dmp