Analysis
-
max time kernel
55s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
010.exe
Resource
win10v2004-20220414-en
General
-
Target
010.exe
-
Size
425KB
-
MD5
da1008dbb0ec85a20058b6da3688ed6c
-
SHA1
c496375ba828aa3bf2c3f7aa4c20ae61d45f23f6
-
SHA256
f3ce2b35bf57346579d2fa20ca817c7b397c54be214b82289509355f1a6f5095
-
SHA512
6aefa8305cc67522fe1ab931653458755a8c5cf1feb13ccd17df3dea691b0763b8e5f039219ef810260fa02e1c7dd8fc89759cd1865a655ab6a65613b815a561
Malware Config
Extracted
C:\GQNQSOXP-DECRYPT.txt
http://gandcrabmfe6mnef.onion/2c6e48dc913b332c
Signatures
-
GandCrab Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1780-132-0x0000000000400000-0x0000000000428000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
wermgr.exedescription ioc process File renamed C:\Users\Admin\Pictures\MountAssert.raw => C:\Users\Admin\Pictures\MountAssert.raw.gqnqsoxp wermgr.exe File renamed C:\Users\Admin\Pictures\OpenPop.png => C:\Users\Admin\Pictures\OpenPop.png.gqnqsoxp wermgr.exe File opened for modification C:\Users\Admin\Pictures\CloseEnable.tiff wermgr.exe File renamed C:\Users\Admin\Pictures\CloseEnable.tiff => C:\Users\Admin\Pictures\CloseEnable.tiff.gqnqsoxp wermgr.exe -
Drops startup file 2 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\GQNQSOXP-DECRYPT.txt wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\913b34cf913b332d6c.lock wermgr.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
wermgr.exedescription ioc process File opened (read-only) \??\J: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\H: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\T: wermgr.exe File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\F: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\U: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\Z: wermgr.exe File opened (read-only) \??\S: wermgr.exe File opened (read-only) \??\B: wermgr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
wermgr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" wermgr.exe -
Drops file in Program Files directory 40 IoCs
Processes:
wermgr.exedescription ioc process File opened for modification C:\Program Files\ConvertRead.doc wermgr.exe File opened for modification C:\Program Files\CopyCompress.ps1 wermgr.exe File opened for modification C:\Program Files\EnableClear.ogg wermgr.exe File opened for modification C:\Program Files\RestartPing.emf wermgr.exe File created C:\Program Files (x86)\913b34cf913b332d6c.lock wermgr.exe File opened for modification C:\Program Files\RemoveEnter.odt wermgr.exe File opened for modification C:\Program Files\RestoreUninstall.jpeg wermgr.exe File opened for modification C:\Program Files\SuspendPing.jpg wermgr.exe File opened for modification C:\Program Files\UnregisterMerge.xlsb wermgr.exe File opened for modification C:\Program Files\ExpandUnprotect.rle wermgr.exe File opened for modification C:\Program Files\PopSuspend.sql wermgr.exe File opened for modification C:\Program Files\UnprotectSuspend.tif wermgr.exe File opened for modification C:\Program Files\CompleteFormat.wax wermgr.exe File opened for modification C:\Program Files\InitializeImport.xlsb wermgr.exe File opened for modification C:\Program Files\InvokeImport.WTV wermgr.exe File opened for modification C:\Program Files\JoinCheckpoint.bmp wermgr.exe File opened for modification C:\Program Files\OptimizeConvertTo.AAC wermgr.exe File opened for modification C:\Program Files\RenameGroup.mpg wermgr.exe File opened for modification C:\Program Files\SearchConfirm.xhtml wermgr.exe File opened for modification C:\Program Files\SendReceive.m3u wermgr.exe File opened for modification C:\Program Files\UnprotectResize.edrwx wermgr.exe File opened for modification C:\Program Files\ConvertExport.TTS wermgr.exe File opened for modification C:\Program Files\GrantSelect.kix wermgr.exe File opened for modification C:\Program Files\CheckpointAssert.midi wermgr.exe File opened for modification C:\Program Files\CheckpointSync.vstx wermgr.exe File opened for modification C:\Program Files\CompleteConvertFrom.au wermgr.exe File opened for modification C:\Program Files\RequestLock.ps1xml wermgr.exe File opened for modification C:\Program Files\SendSearch.ttf wermgr.exe File opened for modification C:\Program Files\SplitMerge.mp4 wermgr.exe File opened for modification C:\Program Files\NewTest.snd wermgr.exe File opened for modification C:\Program Files\StopResume.vsw wermgr.exe File opened for modification C:\Program Files\WriteStart.rmi wermgr.exe File created C:\Program Files\GQNQSOXP-DECRYPT.txt wermgr.exe File created C:\Program Files\913b34cf913b332d6c.lock wermgr.exe File opened for modification C:\Program Files\CompressUnlock.mp3 wermgr.exe File opened for modification C:\Program Files\EnableOptimize.au wermgr.exe File opened for modification C:\Program Files\RedoEdit.shtml wermgr.exe File opened for modification C:\Program Files\RepairInitialize.htm wermgr.exe File opened for modification C:\Program Files\SkipReset.htm wermgr.exe File created C:\Program Files (x86)\GQNQSOXP-DECRYPT.txt wermgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wermgr.exepid process 1780 wermgr.exe 1780 wermgr.exe 1780 wermgr.exe 1780 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1556 wmic.exe Token: SeSecurityPrivilege 1556 wmic.exe Token: SeTakeOwnershipPrivilege 1556 wmic.exe Token: SeLoadDriverPrivilege 1556 wmic.exe Token: SeSystemProfilePrivilege 1556 wmic.exe Token: SeSystemtimePrivilege 1556 wmic.exe Token: SeProfSingleProcessPrivilege 1556 wmic.exe Token: SeIncBasePriorityPrivilege 1556 wmic.exe Token: SeCreatePagefilePrivilege 1556 wmic.exe Token: SeBackupPrivilege 1556 wmic.exe Token: SeRestorePrivilege 1556 wmic.exe Token: SeShutdownPrivilege 1556 wmic.exe Token: SeDebugPrivilege 1556 wmic.exe Token: SeSystemEnvironmentPrivilege 1556 wmic.exe Token: SeRemoteShutdownPrivilege 1556 wmic.exe Token: SeUndockPrivilege 1556 wmic.exe Token: SeManageVolumePrivilege 1556 wmic.exe Token: 33 1556 wmic.exe Token: 34 1556 wmic.exe Token: 35 1556 wmic.exe Token: 36 1556 wmic.exe Token: SeIncreaseQuotaPrivilege 1556 wmic.exe Token: SeSecurityPrivilege 1556 wmic.exe Token: SeTakeOwnershipPrivilege 1556 wmic.exe Token: SeLoadDriverPrivilege 1556 wmic.exe Token: SeSystemProfilePrivilege 1556 wmic.exe Token: SeSystemtimePrivilege 1556 wmic.exe Token: SeProfSingleProcessPrivilege 1556 wmic.exe Token: SeIncBasePriorityPrivilege 1556 wmic.exe Token: SeCreatePagefilePrivilege 1556 wmic.exe Token: SeBackupPrivilege 1556 wmic.exe Token: SeRestorePrivilege 1556 wmic.exe Token: SeShutdownPrivilege 1556 wmic.exe Token: SeDebugPrivilege 1556 wmic.exe Token: SeSystemEnvironmentPrivilege 1556 wmic.exe Token: SeRemoteShutdownPrivilege 1556 wmic.exe Token: SeUndockPrivilege 1556 wmic.exe Token: SeManageVolumePrivilege 1556 wmic.exe Token: 33 1556 wmic.exe Token: 34 1556 wmic.exe Token: 35 1556 wmic.exe Token: 36 1556 wmic.exe Token: SeBackupPrivilege 3140 vssvc.exe Token: SeRestorePrivilege 3140 vssvc.exe Token: SeAuditPrivilege 3140 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
010.exewermgr.exedescription pid process target process PID 4068 wrote to memory of 1780 4068 010.exe wermgr.exe PID 4068 wrote to memory of 1780 4068 010.exe wermgr.exe PID 4068 wrote to memory of 1780 4068 010.exe wermgr.exe PID 4068 wrote to memory of 1780 4068 010.exe wermgr.exe PID 4068 wrote to memory of 1780 4068 010.exe wermgr.exe PID 1780 wrote to memory of 1556 1780 wermgr.exe wmic.exe PID 1780 wrote to memory of 1556 1780 wermgr.exe wmic.exe PID 1780 wrote to memory of 1556 1780 wermgr.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\010.exe"C:\Users\Admin\AppData\Local\Temp\010.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken