gandcrab | 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65

General

Target

3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
Size

86KB
MD5

eb1a9bab2d88be9722845fc808ce0a68
SHA1

a9ac457e97984eec3350ced0976f5923f56e4f53
SHA256

3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65
SHA512

f8165a0a287274c8d8345714c4bdb2a9833e96e6f4173d1b164db4dc8912f0c537018a8ee090afcd99eba575121f8ee05501b7baeae3f5aaade6ad9777299ddc

Score

10^/10

gandcrab aspackv2 backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4380-133-0x000000000F980000-0x000000000F99B000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vSQshX.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\vSQshX.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

vSQshX.exe

pid process

2488 vSQshX.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vSQshX.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation vSQshX.exe

pid	process
2488	vSQshX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	vSQshX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ekuupyfpeue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe"	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

Drops file in Program Files directory 64 IoCs

Processes:

vSQshX.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	vSQshX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	vSQshX.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	vSQshX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	vSQshX.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	vSQshX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	vSQshX.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	vSQshX.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	vSQshX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	vSQshX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	vSQshX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe	vSQshX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	vSQshX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	vSQshX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	vSQshX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	vSQshX.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	vSQshX.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	vSQshX.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	vSQshX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3404 4380 WerFault.exe 3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

pid	pid_target	process	target process
3404	4380	WerFault.exe	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

pid	process
4380	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
4380	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exevSQshX.exe

description	pid	process	target process
PID 4380 wrote to memory of 2488	4380	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe	vSQshX.exe
PID 4380 wrote to memory of 2488	4380	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe	vSQshX.exe
PID 4380 wrote to memory of 2488	4380	3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe	vSQshX.exe
PID 2488 wrote to memory of 5060	2488	vSQshX.exe	cmd.exe
PID 2488 wrote to memory of 5060	2488	vSQshX.exe	cmd.exe
PID 2488 wrote to memory of 5060	2488	vSQshX.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe
"C:\Users\Admin\AppData\Local\Temp\3909b1f4a50c81478aaffc196dae53fc6c905edfde3e4c725481d2aecfea8d65.exe"
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\vSQshX.exe
C:\Users\Admin\AppData\Local\Temp\vSQshX.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\321a1a74.bat" "
3⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 364
2⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4380 -ip 4380
1⤵
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\321a1a74.bat
Filesize
187B

MD5
c07253fc4a99197485110750a3757c2f

SHA1
171084922e9879132fafca628b86613b25fd9777

SHA256
5f45e30e023d7253a715e043326d9867efb6d210d831cabdeefbc97f875b4efa

SHA512
df600e6e11c1e34fe60b1f47ef16da38aff9c6da1ef5a880ec9aab9e15262d428d657f590de11d5c82e3dac6004085b8daa6802d61499eed3d6ce84caee9b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSQshX.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSQshX.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/2488-130-0x0000000000000000-mapping.dmp

Download
memory/2488-134-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

Filesize
36KB

Download
memory/2488-135-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

Filesize
36KB

Download
memory/2488-137-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

Filesize
36KB

Download
memory/4380-133-0x000000000F980000-0x000000000F99B000-memory.dmp

Filesize
108KB

Download
memory/5060-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads