Analysis
-
max time kernel
61s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 20:10
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
3.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
4.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
4.exe
Resource
win10v2004-20220414-en
General
-
Target
1.exe
-
Size
98KB
-
MD5
e84174bf344419280a719cb7e9c033b5
-
SHA1
00ec359d33dddad510e47e0cf708aa4702c15977
-
SHA256
b1a150630cf575d31d0e788e6ca0eca33875aac5b8a9eb873e79731b1956e42b
-
SHA512
9345c89c1c043209e09423e9921e0276bf1a99cde19e5690d5929b139356b016389b10a34bb286e5dc3771c82bc0386ff23d064a42f219d882420273492bf719
Malware Config
Extracted
C:\WXWQR-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/b4ab1dfbf0a34cd4
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1.exedescription ioc process File renamed C:\Users\Admin\Pictures\RemoveWrite.tiff => C:\Users\Admin\Pictures\RemoveWrite.tiff.wxwqr 1.exe File opened for modification C:\Users\Admin\Pictures\SearchWatch.tiff 1.exe File renamed C:\Users\Admin\Pictures\RegisterSkip.png => C:\Users\Admin\Pictures\RegisterSkip.png.wxwqr 1.exe File renamed C:\Users\Admin\Pictures\MountRemove.crw => C:\Users\Admin\Pictures\MountRemove.crw.wxwqr 1.exe File opened for modification C:\Users\Admin\Pictures\RemoveWrite.tiff 1.exe File renamed C:\Users\Admin\Pictures\SearchTrace.raw => C:\Users\Admin\Pictures\SearchTrace.raw.wxwqr 1.exe File renamed C:\Users\Admin\Pictures\SearchWatch.tiff => C:\Users\Admin\Pictures\SearchWatch.tiff.wxwqr 1.exe File renamed C:\Users\Admin\Pictures\SendConvertTo.tif => C:\Users\Admin\Pictures\SendConvertTo.tif.wxwqr 1.exe File renamed C:\Users\Admin\Pictures\MeasureLock.crw => C:\Users\Admin\Pictures\MeasureLock.crw.wxwqr 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1.exedescription ioc process File opened (read-only) \??\E: 1.exe File opened (read-only) \??\I: 1.exe File opened (read-only) \??\M: 1.exe File opened (read-only) \??\Q: 1.exe File opened (read-only) \??\S: 1.exe File opened (read-only) \??\Y: 1.exe File opened (read-only) \??\A: 1.exe File opened (read-only) \??\G: 1.exe File opened (read-only) \??\N: 1.exe File opened (read-only) \??\T: 1.exe File opened (read-only) \??\U: 1.exe File opened (read-only) \??\X: 1.exe File opened (read-only) \??\B: 1.exe File opened (read-only) \??\F: 1.exe File opened (read-only) \??\O: 1.exe File opened (read-only) \??\V: 1.exe File opened (read-only) \??\W: 1.exe File opened (read-only) \??\R: 1.exe File opened (read-only) \??\Z: 1.exe File opened (read-only) \??\H: 1.exe File opened (read-only) \??\J: 1.exe File opened (read-only) \??\K: 1.exe File opened (read-only) \??\L: 1.exe File opened (read-only) \??\P: 1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 1.exe -
Drops file in Program Files directory 46 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Program Files\NewUse.xht 1.exe File opened for modification C:\Program Files\ResolveWatch.html 1.exe File opened for modification C:\Program Files\EnableRegister.mp4 1.exe File opened for modification C:\Program Files\FormatPush.emf 1.exe File opened for modification C:\Program Files\ImportMove.html 1.exe File opened for modification C:\Program Files\PingClear.xlsm 1.exe File opened for modification C:\Program Files\PopSuspend.MTS 1.exe File opened for modification C:\Program Files\RequestCopy.scf 1.exe File opened for modification C:\Program Files\UpdateRename.dotx 1.exe File created C:\Program Files (x86)\f0a34b37f0a34cd520.lock 1.exe File opened for modification C:\Program Files\CheckpointPush.avi 1.exe File opened for modification C:\Program Files\DisableConnect.txt 1.exe File opened for modification C:\Program Files\OpenTrace.i64 1.exe File opened for modification C:\Program Files\StepReceive.ps1 1.exe File opened for modification C:\Program Files\HideCheckpoint.vssm 1.exe File opened for modification C:\Program Files\NewBackup.TTS 1.exe File opened for modification C:\Program Files\ReceivePush.tif 1.exe File opened for modification C:\Program Files\LimitRedo.aiff 1.exe File opened for modification C:\Program Files\SaveMerge.hta 1.exe File opened for modification C:\Program Files\UnregisterExport.bmp 1.exe File created C:\Program Files (x86)\WXWQR-DECRYPT.txt 1.exe File opened for modification C:\Program Files\ClearStart.MTS 1.exe File opened for modification C:\Program Files\CompleteStep.mp3 1.exe File opened for modification C:\Program Files\DismountHide.potm 1.exe File opened for modification C:\Program Files\PopComplete.wpl 1.exe File opened for modification C:\Program Files\SwitchLimit.ttc 1.exe File opened for modification C:\Program Files\UninstallUse.wps 1.exe File opened for modification C:\Program Files\UnprotectSend.vsx 1.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\f0a34b37f0a34cd520.lock 1.exe File opened for modification C:\Program Files\ConvertWait.xls 1.exe File opened for modification C:\Program Files\CopyShow.css 1.exe File opened for modification C:\Program Files\EditUpdate.au 1.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f0a34b37f0a34cd520.lock 1.exe File opened for modification C:\Program Files\CompressDisable.potx 1.exe File opened for modification C:\Program Files\RemoveConvert.ps1 1.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WXWQR-DECRYPT.txt 1.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\WXWQR-DECRYPT.txt 1.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\f0a34b37f0a34cd520.lock 1.exe File created C:\Program Files\f0a34b37f0a34cd520.lock 1.exe File opened for modification C:\Program Files\MountBackup.xlsb 1.exe File opened for modification C:\Program Files\UnregisterDebug.dotx 1.exe File opened for modification C:\Program Files\ResolveResume.mpeg2 1.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WXWQR-DECRYPT.txt 1.exe File created C:\Program Files\WXWQR-DECRYPT.txt 1.exe File opened for modification C:\Program Files\InitializeShow.jpeg 1.exe File opened for modification C:\Program Files\ReadEdit.pps 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.exepid process 1672 1.exe 1672 1.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 944 wmic.exe Token: SeSecurityPrivilege 944 wmic.exe Token: SeTakeOwnershipPrivilege 944 wmic.exe Token: SeLoadDriverPrivilege 944 wmic.exe Token: SeSystemProfilePrivilege 944 wmic.exe Token: SeSystemtimePrivilege 944 wmic.exe Token: SeProfSingleProcessPrivilege 944 wmic.exe Token: SeIncBasePriorityPrivilege 944 wmic.exe Token: SeCreatePagefilePrivilege 944 wmic.exe Token: SeBackupPrivilege 944 wmic.exe Token: SeRestorePrivilege 944 wmic.exe Token: SeShutdownPrivilege 944 wmic.exe Token: SeDebugPrivilege 944 wmic.exe Token: SeSystemEnvironmentPrivilege 944 wmic.exe Token: SeRemoteShutdownPrivilege 944 wmic.exe Token: SeUndockPrivilege 944 wmic.exe Token: SeManageVolumePrivilege 944 wmic.exe Token: 33 944 wmic.exe Token: 34 944 wmic.exe Token: 35 944 wmic.exe Token: SeIncreaseQuotaPrivilege 944 wmic.exe Token: SeSecurityPrivilege 944 wmic.exe Token: SeTakeOwnershipPrivilege 944 wmic.exe Token: SeLoadDriverPrivilege 944 wmic.exe Token: SeSystemProfilePrivilege 944 wmic.exe Token: SeSystemtimePrivilege 944 wmic.exe Token: SeProfSingleProcessPrivilege 944 wmic.exe Token: SeIncBasePriorityPrivilege 944 wmic.exe Token: SeCreatePagefilePrivilege 944 wmic.exe Token: SeBackupPrivilege 944 wmic.exe Token: SeRestorePrivilege 944 wmic.exe Token: SeShutdownPrivilege 944 wmic.exe Token: SeDebugPrivilege 944 wmic.exe Token: SeSystemEnvironmentPrivilege 944 wmic.exe Token: SeRemoteShutdownPrivilege 944 wmic.exe Token: SeUndockPrivilege 944 wmic.exe Token: SeManageVolumePrivilege 944 wmic.exe Token: 33 944 wmic.exe Token: 34 944 wmic.exe Token: 35 944 wmic.exe Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1.exedescription pid process target process PID 1672 wrote to memory of 944 1672 1.exe wmic.exe PID 1672 wrote to memory of 944 1672 1.exe wmic.exe PID 1672 wrote to memory of 944 1672 1.exe wmic.exe PID 1672 wrote to memory of 944 1672 1.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken