Analysis
-
max time kernel
135s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 03:09
General
-
Target
3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0.exe
-
Size
208KB
-
MD5
b28e0a994aec0fed8a429852f5f96b69
-
SHA1
ae83fb72418e9ab22722b9ece02f93860b4ffc6c
-
SHA256
3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0
-
SHA512
a9031899f7cea9153e9fa3442bfbfd001cd157347828ebcc0dace421f4571464bffac582522b3aecc0297925ec01d6ee4f208cf679ae5987a584ac583db9ac2f
Score
10/10
Malware Config
Extracted
Path
C:\KRAB-DECRYPT.txt
Ransom Note
---= GANDCRAB V4 =---
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/adcaf1adadfc674f
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAPoRFwHlM1X+ijc0PR6v5cxckwgPctGDYLmsYN1KPEvPP/naaHdWKPGfNtbnAwFWtyHQ+wNniv+tcLk3BAMiKi6RBJVwvpMQNHA3Qy2wjvLhiOQ9LWERl24B4Mh4+3T7nidu6LilTfHh+4q1ZbZZw374etfPCikAnYETZcHRdD1WqPoG/2cljRMuNc+cLP4wu2Zxc6McSmAatquZ95vsksux+JVJlQXVOQJhgmL5peUQTIVr3l1+sM1uqVzjtp3h6ZEq7CYEI7tVRuYMYaoOfky/Q9LfvbkqYm/Yn7vkFIBrf1MkQapOaEz4lLoBw2mXb4wMxingfYbXw2tE03sz5E9zMyGQhkPB0kIDIxhp6NAJ9yS494W04sh0tMZFJNds05Gjsw2G0IPng38sHBdKYhJLA8tzVRme4JbNUFPrQD/dAbS1NbkWF5R4BnZdV3fa92mNenxRLflzzcBvzfmuBJBK1GccPz4zfe579wA5gW/fYEsapmNpgL0nK+3JdvTITU6L4eskqU7ifECvz5QZB/kmqa2x7cG4qr7aN21nIr9Xsp0JRcavezurS83/J0BRo3auiTM4mBP/RhK5WfIiqv00Ebz85AxPT3ElDvGKZ9ITen3VzpK/DV+UVyOYfkZcFkuJSosYHg8W9XQYsj0ol3Oo1Zcq8KEsXVY8oJDupENgeTuRm9u2AAiqVKPjD2QqDpmnFm72yvr8CI8jkMpMV4qs0hEy7iNth65+WS4sidsQITF/Vy6E4kAn1iNQ5FHihm+4Q81z++Ar1RDjHglLd+3P9Uze1yAysJGwMFhGkXGr+U+1F1ytMQfOO7HzTw4VdZE4svdtklo58u/Mx2E25+wIw7OS5++vZf0tr9bU1gYdP3k69e1AOB4jToLP1OXZ2xGQFuz7NR6EjSG1J+Ty2TNd55/O8mQHth4sNTx/3TM/BLM7KU9tjQiX9BycgAuEwfnkBRqlQdoErAtbJ0eJpDR/HHpymKP6Bv0pRZ/y0fOJ10qDK+IGsdVOSJ8AhDjMlnburJjgzjiOB4RwNpzgAYVq2MMhGjH9hTXFj7KADBDmwC8HsOqHkWdut0x5SLGUDebARdpgPCavi7sYEMzbUYF8n66KhKEiH84Z1FikeYyp7m56Vra1JEjU+pHH7kw0HEopO9pYoHljr1bgBNXurUm7Vh62aRrzpP8Znl1Iw1zxnFtSTE2IIUw/92kKXR5N0JQjgNstZUd6ZkNl4GehbCP7OkhA/mu07yCft2TBWrXF8mzbNg67r909Nmhy9/E8QMxPkWp5B1zmbib318CZ5pqG4eKPjL1RfkG8nyTt0ZI+boa3reaviSdlsLJ5kiqgKk02OyXBMa7urjJGtN8VbZS91+458F/OXNqTgoAUixIOUuFZ89B1rEyAV8UY5SgOyQIfwmIGcTUnoWeBUlIytbkhQHq6sj7NtHt6VwwIPiaZnQ6kAtEwlL3i3Az0IOUkg3Kl2i0S+bHerdJUm5VQDLsNbA96S6O+c4gv8RlWwXvEGmMNiWJIIm8OVyFb60M+WEWW96l3VYsp0O1GRFugbXfS/OlSoZIJaTH8ja55S7yrtI9ybg78vJvUCQoRDfedwItdn5SmbYP3zen0prH8rTKNrJUeXO0Rm7n8bgeQ6xqNTz8jJHPE7pKxZCQqWehP6QlHF72onvrE+llx3u29C8S+M2wBmgK8AQYCkYL1a0utY5AUIUNMV/lLzMVRaCbJCwr1P+paG94M1ElfgpYZI3R2GGE7Bf8TB5jTwYnCBNpSbwb+DETrhgDx2OXwAzVDBc/GU6eJiV5CxRsbaorjJXRGmb51yWQ8t9htMZexI4HmmYY8Pz+tbU9xP6D8D8rguVmB2C1EYIr+3zJZ+A3e6mr05BapG0LJpxJboviyZ5Oy9qivb5HoeOAJFHky/wEQGbQccFUXls9xmJJHuX5KZ5Sf6j7EkBlf81W4LebDgIvavnzoSbNYGFvNGjXoRNgqT2803AMAQKhwCtWgAgIgTHzgdUuK7fDD8l7C1u8F8AD485VfQibh0bFY5KL4k4oNv7lxxWjWX0kyZB7JO7KzXoF+LIuNSJOrMjB9WAlONdAx3Lap+0rjZCNk3YVn5+M+gWe8HuEkGzlI7PAb10e/3/COIrBvXCxAWXTEtFXtV5NjlE4MI4KTuO4fM7QvE7Vl3qr/i9bstzH864fYUuHgaM2DkJg2guNb5qfRej+yUz9eC6jsMZerTCEjJ8kW5fs5empKtkI=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZWToJRqHYO7mlWt7fHTGeHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisrEmkRvBseLy/2c2QOtyGopYOFrVBnTtqxHREd0b9ycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJpJFswNcoAhPJnK0+Ce5dALefhGEwg7NrKg3sxA1KwA7/ZirpDhFP3vXLNOau1wAZJ3RPRgGKcTnQ1lTgYn9OmQ3fyiydQRBnybIjls6w7nIYVcjpKTe2fFccJcA8PyhNj39SQ2/C2KZUErLtf0jsBdBMMpGrHpcOL7+fRYUP+Ik=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/adcaf1adadfc674f
Signatures
-
GandCrab Payload 2 IoCs
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 45 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0.exe"C:\Users\Admin\AppData\Local\Temp\3d6b4312947a3a0f76abd8981c5452dfd26aadaa109d3e200d987f8e903d5ab0.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1572-57-0x0000000000000000-mapping.dmp
-
memory/1936-54-0x0000000075D21000-0x0000000075D23000-memory.dmpFilesize
8KB
-
memory/1936-55-0x00000000002F1000-0x0000000000303000-memory.dmpFilesize
72KB
-
memory/1936-56-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1936-58-0x00000000002F1000-0x0000000000303000-memory.dmpFilesize
72KB
-
memory/1936-59-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB