Analysis
-
max time kernel
42s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 00:08
Static task
static1
Behavioral task
behavioral1
Sample
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe
Resource
win10v2004-20220414-en
General
-
Target
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe
-
Size
171KB
-
MD5
0841db4bef7227c34bc9d8bcbc931410
-
SHA1
473d3950f379a4a7c36f799c7e52929b2ff11acb
-
SHA256
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992
-
SHA512
de06093dd3f330ab55762f67f9bf9827bb751136b47ecb1f5ccd7484a909661c8d8337a533cb34abbf74b8b8e1a25845970639ff66733dd3839046b1c16b0869
Malware Config
Extracted
C:\LPGSFN-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/bfac015bc07d021a
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exedescription ioc process File renamed C:\Users\Admin\Pictures\InstallUnprotect.png => C:\Users\Admin\Pictures\InstallUnprotect.png.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File renamed C:\Users\Admin\Pictures\OpenConnect.raw => C:\Users\Admin\Pictures\OpenConnect.raw.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File renamed C:\Users\Admin\Pictures\StartSet.raw => C:\Users\Admin\Pictures\StartSet.raw.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File renamed C:\Users\Admin\Pictures\StepEdit.tif => C:\Users\Admin\Pictures\StepEdit.tif.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File renamed C:\Users\Admin\Pictures\UnblockOut.raw => C:\Users\Admin\Pictures\UnblockOut.raw.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Users\Admin\Pictures\WriteSubmit.tiff 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File renamed C:\Users\Admin\Pictures\WriteSubmit.tiff => C:\Users\Admin\Pictures\WriteSubmit.tiff.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File renamed C:\Users\Admin\Pictures\DenyProtect.png => C:\Users\Admin\Pictures\DenyProtect.png.lpgsfn 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exedescription ioc process File opened (read-only) \??\A: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\E: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\K: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\T: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\Y: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\B: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\M: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\N: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\P: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\W: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\X: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\Z: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\F: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\H: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\I: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\O: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\Q: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\R: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\V: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\G: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\J: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\L: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\S: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened (read-only) \??\U: 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe -
Drops file in Program Files directory 21 IoCs
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exedescription ioc process File created C:\Program Files\c07d05f9c07d021a613.lock 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\InitializeReceive.docm 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\RevokeFind.mov 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\LPGSFN-MANUAL.txt 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\LPGSFN-MANUAL.txt 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\RequestBlock.ppsx 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\SearchComplete.wpl 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\StartSplit.TTS 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files\LPGSFN-MANUAL.txt 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\CopyNew.jpe 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\DebugSend.midi 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\EditWait.vsx 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\ImportRequest.3gp 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\c07d05f9c07d021a613.lock 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c07d05f9c07d021a613.lock 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\CopyRepair.xlsb 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\LPGSFN-MANUAL.txt 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\LPGSFN-MANUAL.txt 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c07d05f9c07d021a613.lock 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File opened for modification C:\Program Files\LockPush.tiff 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\c07d05f9c07d021a613.lock 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 688 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exepid process 1228 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe 1228 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 336 vssvc.exe Token: SeRestorePrivilege 336 vssvc.exe Token: SeAuditPrivilege 336 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.execmd.exedescription pid process target process PID 1228 wrote to memory of 1528 1228 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe cmd.exe PID 1228 wrote to memory of 1528 1228 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe cmd.exe PID 1228 wrote to memory of 1528 1228 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe cmd.exe PID 1228 wrote to memory of 1528 1228 3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe cmd.exe PID 1528 wrote to memory of 688 1528 cmd.exe vssadmin.exe PID 1528 wrote to memory of 688 1528 cmd.exe vssadmin.exe PID 1528 wrote to memory of 688 1528 cmd.exe vssadmin.exe PID 1528 wrote to memory of 688 1528 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe"C:\Users\Admin\AppData\Local\Temp\3575cc26ec8d3dd669946f9156ace7eaecca470525d6af8402d0688513cd6992.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/688-58-0x0000000000000000-mapping.dmp
-
memory/1228-54-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB
-
memory/1228-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1228-55-0x0000000000230000-0x0000000000259000-memory.dmpFilesize
164KB
-
memory/1228-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1528-57-0x0000000000000000-mapping.dmp