Analysis
-
max time kernel
125s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 07:08
Static task
static1
Behavioral task
behavioral1
Sample
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe
Resource
win10v2004-20220414-en
General
-
Target
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe
-
Size
661KB
-
MD5
5ce3924a9cb396534ec099840b3af245
-
SHA1
0ec3588320ded35404ae8c959c0d9613b5383124
-
SHA256
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a
-
SHA512
666a0180a8d01b4b72bfacb8d040fa2192ec3b1e6c1a46cfcf7f65f42658269029cd738837bd7411754bc18faced54451b379382772a0e8f3b4f07a7799c14cb
Malware Config
Extracted
C:\OOKWBPL-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/381bf238b3e73ffe
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exedescription ioc process File renamed C:\Users\Admin\Pictures\DebugGet.crw => C:\Users\Admin\Pictures\DebugGet.crw.ookwbpl 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File renamed C:\Users\Admin\Pictures\PingInvoke.crw => C:\Users\Admin\Pictures\PingInvoke.crw.ookwbpl 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File renamed C:\Users\Admin\Pictures\StartInstall.crw => C:\Users\Admin\Pictures\StartInstall.crw.ookwbpl 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File renamed C:\Users\Admin\Pictures\UndoSync.crw => C:\Users\Admin\Pictures\UndoSync.crw.ookwbpl 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exedescription ioc process File opened (read-only) \??\B: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\Q: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\S: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\Z: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\T: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\U: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\A: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\H: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\J: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\M: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\P: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\R: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\W: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\X: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\E: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\F: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\K: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\L: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\N: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\O: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\G: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\I: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\V: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened (read-only) \??\Y: 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Drops file in Program Files directory 40 IoCs
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exedescription ioc process File opened for modification C:\Program Files\TestUnprotect.aiff 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\b3e7381db3e73fff7b.lock 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\OOKWBPL-MANUAL.txt 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ConfirmShow.css 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\JoinRemove.vdx 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\PingProtect.docx 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ReceiveEnable.txt 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files\b3e7381db3e73fff7b.lock 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ApproveDisable.dot 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\CompleteBlock.sql 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\EnterConfirm.mp3 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ExitRename.xps 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\FormatReset.m1v 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\SearchResolve.wmv 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\SubmitMeasure.vst 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\TestRestore.mpeg2 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OOKWBPL-MANUAL.txt 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ResolveComplete.php 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\StepSet.vbe 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\OOKWBPL-MANUAL.txt 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\b3e7381db3e73fff7b.lock 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\DenyPublish.mpeg3 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\OutSelect.WTV 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ResolveOpen.3gp2 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\UnlockDeny.raw 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\UnprotectExport.vdw 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ConvertToHide.jfif 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b3e7381db3e73fff7b.lock 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files\OOKWBPL-MANUAL.txt 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\ConvertFromReset.midi 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\HideConvertFrom.ttc 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\InvokePop.htm 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\SuspendDisconnect.vsdm 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\TestWatch.dwfx 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\UndoInstall.sql 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OOKWBPL-MANUAL.txt 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\LockExit.dib 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\RestartConnect.rmi 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File opened for modification C:\Program Files\SwitchLimit.vssx 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\b3e7381db3e73fff7b.lock 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 748 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exepid process 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exepid process 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1572 vssvc.exe Token: SeRestorePrivilege 1572 vssvc.exe Token: SeAuditPrivilege 1572 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.execmd.exedescription pid process target process PID 1884 wrote to memory of 1116 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe cmd.exe PID 1884 wrote to memory of 1116 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe cmd.exe PID 1884 wrote to memory of 1116 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe cmd.exe PID 1884 wrote to memory of 1116 1884 3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe cmd.exe PID 1116 wrote to memory of 748 1116 cmd.exe vssadmin.exe PID 1116 wrote to memory of 748 1116 cmd.exe vssadmin.exe PID 1116 wrote to memory of 748 1116 cmd.exe vssadmin.exe PID 1116 wrote to memory of 748 1116 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe"C:\Users\Admin\AppData\Local\Temp\3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-58-0x0000000000000000-mapping.dmp
-
memory/1116-57-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1884-55-0x0000000002180000-0x00000000021FA000-memory.dmpFilesize
488KB
-
memory/1884-56-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB