Analysis
-
max time kernel
59s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10v2004-20220414-en
General
-
Target
new.exe
-
Size
1.9MB
-
MD5
68452d35af58fc91e8d9d626f841232a
-
SHA1
15257211e4e781ca77148cc5106dd8fd344e945c
-
SHA256
50a63379f799e5b85c641fa68515825c54e2d91f386715a3efc11ce1a236a661
-
SHA512
57ec3a19b54513600996933b2664b76a1200765aca2258ef56323a650e474673f548dc224ab8bf316c06911c80f225ea1b58b401a22679c1763ad7094146f34e
Malware Config
Extracted
C:\AVCYKIQEGU-DECRYPT.txt
http://gandcrabmfe6mnef.onion/eccb2a34b2a0306
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4868-132-0x0000000000400000-0x0000000000428000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
wermgr.exedescription ioc process File renamed C:\Users\Admin\Pictures\ProtectAdd.png => C:\Users\Admin\Pictures\ProtectAdd.png.avcykiqegu wermgr.exe File renamed C:\Users\Admin\Pictures\RegisterUpdate.tif => C:\Users\Admin\Pictures\RegisterUpdate.tif.avcykiqegu wermgr.exe File renamed C:\Users\Admin\Pictures\RestartResize.crw => C:\Users\Admin\Pictures\RestartResize.crw.avcykiqegu wermgr.exe -
Drops startup file 2 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\4b2a04e54b2a030729.lock wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\AVCYKIQEGU-DECRYPT.txt wermgr.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wermgr.exedescription ioc process File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\S: wermgr.exe File opened (read-only) \??\T: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\B: wermgr.exe File opened (read-only) \??\H: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\Z: wermgr.exe File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\U: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\F: wermgr.exe File opened (read-only) \??\J: wermgr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wermgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" wermgr.exe -
Drops file in Program Files directory 25 IoCs
Processes:
wermgr.exedescription ioc process File opened for modification C:\Program Files\DisableConvertTo.js wermgr.exe File opened for modification C:\Program Files\ExportUnlock.ttc wermgr.exe File opened for modification C:\Program Files\RemoveRename.vsdm wermgr.exe File opened for modification C:\Program Files\RenameGrant.png wermgr.exe File opened for modification C:\Program Files\WaitMerge.ini wermgr.exe File created C:\Program Files\4b2a04e54b2a030729.lock wermgr.exe File opened for modification C:\Program Files\BackupProtect.mhtml wermgr.exe File opened for modification C:\Program Files\SendRestart.DVR-MS wermgr.exe File opened for modification C:\Program Files\UpdateInstall.edrwx wermgr.exe File opened for modification C:\Program Files\ClearSplit.wma wermgr.exe File opened for modification C:\Program Files\InvokeWrite.xsl wermgr.exe File opened for modification C:\Program Files\PublishOut.wdp wermgr.exe File opened for modification C:\Program Files\ShowStop.vb wermgr.exe File opened for modification C:\Program Files\SuspendStart.xps wermgr.exe File opened for modification C:\Program Files\UnprotectWait.mov wermgr.exe File created C:\Program Files (x86)\4b2a04e54b2a030729.lock wermgr.exe File opened for modification C:\Program Files\DismountReset.wax wermgr.exe File opened for modification C:\Program Files\OptimizeUnpublish.ods wermgr.exe File opened for modification C:\Program Files\ResetSelect.xsl wermgr.exe File opened for modification C:\Program Files\SelectSet.mpe wermgr.exe File opened for modification C:\Program Files\SplitStop.txt wermgr.exe File opened for modification C:\Program Files\WaitSubmit.aiff wermgr.exe File created C:\Program Files (x86)\AVCYKIQEGU-DECRYPT.txt wermgr.exe File created C:\Program Files\AVCYKIQEGU-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\FormatWrite.shtml wermgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wermgr.exepid process 4868 wermgr.exe 4868 wermgr.exe 4868 wermgr.exe 4868 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2980 wmic.exe Token: SeSecurityPrivilege 2980 wmic.exe Token: SeTakeOwnershipPrivilege 2980 wmic.exe Token: SeLoadDriverPrivilege 2980 wmic.exe Token: SeSystemProfilePrivilege 2980 wmic.exe Token: SeSystemtimePrivilege 2980 wmic.exe Token: SeProfSingleProcessPrivilege 2980 wmic.exe Token: SeIncBasePriorityPrivilege 2980 wmic.exe Token: SeCreatePagefilePrivilege 2980 wmic.exe Token: SeBackupPrivilege 2980 wmic.exe Token: SeRestorePrivilege 2980 wmic.exe Token: SeShutdownPrivilege 2980 wmic.exe Token: SeDebugPrivilege 2980 wmic.exe Token: SeSystemEnvironmentPrivilege 2980 wmic.exe Token: SeRemoteShutdownPrivilege 2980 wmic.exe Token: SeUndockPrivilege 2980 wmic.exe Token: SeManageVolumePrivilege 2980 wmic.exe Token: 33 2980 wmic.exe Token: 34 2980 wmic.exe Token: 35 2980 wmic.exe Token: 36 2980 wmic.exe Token: SeIncreaseQuotaPrivilege 2980 wmic.exe Token: SeSecurityPrivilege 2980 wmic.exe Token: SeTakeOwnershipPrivilege 2980 wmic.exe Token: SeLoadDriverPrivilege 2980 wmic.exe Token: SeSystemProfilePrivilege 2980 wmic.exe Token: SeSystemtimePrivilege 2980 wmic.exe Token: SeProfSingleProcessPrivilege 2980 wmic.exe Token: SeIncBasePriorityPrivilege 2980 wmic.exe Token: SeCreatePagefilePrivilege 2980 wmic.exe Token: SeBackupPrivilege 2980 wmic.exe Token: SeRestorePrivilege 2980 wmic.exe Token: SeShutdownPrivilege 2980 wmic.exe Token: SeDebugPrivilege 2980 wmic.exe Token: SeSystemEnvironmentPrivilege 2980 wmic.exe Token: SeRemoteShutdownPrivilege 2980 wmic.exe Token: SeUndockPrivilege 2980 wmic.exe Token: SeManageVolumePrivilege 2980 wmic.exe Token: 33 2980 wmic.exe Token: 34 2980 wmic.exe Token: 35 2980 wmic.exe Token: 36 2980 wmic.exe Token: SeBackupPrivilege 4324 vssvc.exe Token: SeRestorePrivilege 4324 vssvc.exe Token: SeAuditPrivilege 4324 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
new.exewermgr.exedescription pid process target process PID 5012 wrote to memory of 4868 5012 new.exe wermgr.exe PID 5012 wrote to memory of 4868 5012 new.exe wermgr.exe PID 5012 wrote to memory of 4868 5012 new.exe wermgr.exe PID 5012 wrote to memory of 4868 5012 new.exe wermgr.exe PID 5012 wrote to memory of 4868 5012 new.exe wermgr.exe PID 4868 wrote to memory of 2980 4868 wermgr.exe wmic.exe PID 4868 wrote to memory of 2980 4868 wermgr.exe wmic.exe PID 4868 wrote to memory of 2980 4868 wermgr.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new.exe"C:\Users\Admin\AppData\Local\Temp\new.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken