Analysis
-
max time kernel
125s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 07:08
General
-
Target
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe
-
Size
661KB
-
MD5
5ce3924a9cb396534ec099840b3af245
-
SHA1
0ec3588320ded35404ae8c959c0d9613b5383124
-
SHA256
3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a
-
SHA512
666a0180a8d01b4b72bfacb8d040fa2192ec3b1e6c1a46cfcf7f65f42658269029cd738837bd7411754bc18faced54451b379382772a0e8f3b4f07a7799c14cb
Score
10/10
Malware Config
Extracted
Path
C:\OOKWBPL-MANUAL.txt
Family
gandcrab
Ransom Note
---= GANDCRAB V5.2 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .OOKWBPL
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/381bf238b3e73ffe
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAA59i3FfBc/D4c3qoEWA23NjCJNnRpmZnGqHRPur9Qp1/5su6WDlk290ZzWDeHrgr8qY2cIadovttEemywwswKbgyMLb3CNSeL6TGHu7H/IjHxwlYBwliC/QW2d8cFZuRdu4o8BKLOUctgWWF89UpWYCB7Bj7hkXUCa/6Lf9ZhQBhIL/C90/if8A25xec2cAVdJpdTH1Vxc3SPmvV3dhAbzHjBCYyMUZJLLz/OAFFDznq/whmFBHW2GXIzayc73AjE13odXkBNp0x8Qq/eALLoWcs/dh2Uzt/eGAbd4sZVJOPKhTydV7z9b+Vf9+5YWWv7jWyiQO5G9lY47D8djhSq0LzzdaL0Q3XCSU57ADnELqwvIH7XEsImB9hvLCqm2PheVrX810NJIQHk/jnrHAAdsGjrCzqjF8jBMUGhclx9kFuVsL7t7CUqOldlyxMAaMl8MphER5UfHXR7RaCWxxoy+hu8jt6kbEvSBzQy+x8prc1ZGmDU+o4J+cDuYKR1MNEYRqZvWeOTa/MGo2RQAFPv/oUbr6TbRkZj/XHn2pY1QD8imoKFssi5SsXsNTsjzf4CJC7MrtLCAS4VMSRbcUVH3oP9Z+k/E6ToPQT8aCGmEQaAg27JD0I/MhDL64CYBIphZ+ZxhYUqdr7Wc6Gs+NxYcssdnNQrOhXovIhxn2tAzRCDh4e1MfmpPJSumH+PfNpH1GT17VL88XFo0kSFOmAXBHqi/khrRuyXpCDnFUHH6GP7vH/krlRMjvD3ZfyJO/0lyLIE+4tu8axDM80Yp3SlkUZ+m/lAL/MOzzXJDmHHbuFsD+9aSU7XiWI/6xRRD3RMgqzXZHcwMt05Uovx8HFWHoIcii7XS7IKFYF5DSBGiaKAX/t7eB1boBc5/8ihQFd+KsF5o22UCCquk9CynTzArxa6CVcNyPCfqw/73PCYz7qFfocux0qUAG29Fs6pF9oHvBvhfP5r7CE9v2l3lYA6+g61jYrVsGpd1JnV7lpwhk09Q6nSi6HwKJNslTINhVgnUxcy87qDl6Agv9wlkGT2Tt+02TTYgx/BbJoJzIhga+WwvzquHUQJvRR1miuNjpdApztV/efXEMLWSJi7SPgzfFHYMC/Y3llEKAyDETjHEHNt1urAD08ht7gGR2j19y1ZcO7KeU4LJZwEOakAphBWE47kiFfL6qdrd4T69sNymLmInfPKhGgnxQ5reCL8GE1rT7fsxqMK6l0MaS/wjJnAei2b2XFA8WL3wjgz8hYzy2+4hkSmTjHM7eH4MtSpEpdeTOg2W6WZwLwUkDjwOC0Jf9mQybX2knyhpu/QqQlIUdxEl5OJxBLSnVpevIx3hv2wUtA0WwJBhvlWb+WtwwkelZdIUA8O1+/bS6ppzUtme7VLW/4SmNpZ16itL6abJ9lJEs5kmhpAf4Ejx3yl17Xrp/fiT7LAwZO3twXZEaS7ET47rprDL+BZvhXQW/IGND3CIgUMjYJ3Gg1kP5Aut8SNC/IL2Q91ihpK+eP0LXGqNQKQNmTOSmyKuA/PbYYfceVzGZDNbiU5xclIVV64pxkk4rUxTFwTYPbnWc/8lPV6JvKoj4Oe3nk/5/G2cMehmNCzGyIjVKZ/mtgKG/pboiNHR2VcYtM+pKrLGpXtOoE7s3dP1pshl4n9DkKH6pdZKKggSLWuYwH/PHYikgvFT5Di1uLvpQKlst+GAeoFkwGMFmwX0CiPbYcwNjpM4BfK0Jxs8RsmnrpiBA/H8NsuG/KAxEv4uZKae2EQ1q27x8ViP1RXNZ3iWa3sKM8RtnlOfEOwuXj/epx7xUzBHsnjjyt20kAPAG/HWwxxS+hpVo00RucJ9MwB0iqKCAWcv7WJtn12Z9N4gAEEJ43yrTX+N2FEsTL79OuIC0m8WHLRlu0n68WVOls/7CXddpiOwVfly+kfSuvlxgPawx+WJBSH/yaMDbXXteBVWOHD7X5YczpGQLfvH7rcVZp9o/P9zySY0juR0pjL2fnQCDDVLEpdf4IxY05stUXmDDP3JL8Y75SJw/uHC1ZSFN+L4NNLOCXDHuWGoLV5mgKv0dTui18/ssvuMi7Ya40ggNX10FJ2LtQ1HO+aEa4v0V2x1IbOdVTZ11As+ZiSMjsYdA+gpraOZ5i9iNfp73DYOHnnyc0JGCViNWiCRt4K/qG5zyd8kc+Kaey+KhN118AdoolZCQkT3tnoDbywRD6LZ42D2yB7bxxADu/j/J4EtzpduBBFtMTNnKzw2af3E=
---END GANDCRAB KEY---
---BEGIN PC DATA---
7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD/9MnJKpDLAvWVt+DSRW3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSBSDNtLuJL9BbBiZqrcY2R7K3MrGZmdORj0fWP4/yqfNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhKAuoTbFqJ2FPDKx4ChAudDoPVoM6j2VyOmsqBtvY7wKrtsyqi8C1fylVjmT7qd4EOxhgW2wOkzbb5IfuNxGLSuj7biAwDPiqTOLKPGgho2ZWKL+7AkCvGii2IEZErpE7CNmAIThyNQQIFD1UkGNybmMPZ1M1lI/p+RNe2IEi3TJCr7rN9c=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/381bf238b3e73ffe
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 40 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe"C:\Users\Admin\AppData\Local\Temp\3c8a7a527c80dcd95acab4fceba6f00079757f907636f1caba50021c29cb866a.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-58-0x0000000000000000-mapping.dmp
-
memory/1116-57-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1884-55-0x0000000002180000-0x00000000021FA000-memory.dmpFilesize
488KB
-
memory/1884-56-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB