Analysis
-
max time kernel
144s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 20:10
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
3.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
4.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
4.exe
Resource
win10v2004-20220414-en
General
-
Target
3.exe
-
Size
98KB
-
MD5
d840bd5931256bc23c634fab43dafc3e
-
SHA1
cf5d56598c11444cfd4e6e843eee680b8af2eaf7
-
SHA256
a89ff5da7c1c949768bd1f83fede6a02363ec8082b057aa34ea627d4ac81de8a
-
SHA512
44ebe81c50774d2b507ad3ffa135f552f4227436c43e902064a6cdb3f114798041434b3528e1156652565654b89fbe103ebe649a2cf167e389b1713b3be0d974
Malware Config
Extracted
C:\FBHRZCAQDS-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/1d1381568c1b5008
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3.exedescription ioc process File renamed C:\Users\Admin\Pictures\GroupSearch.png => C:\Users\Admin\Pictures\GroupSearch.png.fbhrzcaqds 3.exe File renamed C:\Users\Admin\Pictures\InstallShow.crw => C:\Users\Admin\Pictures\InstallShow.crw.fbhrzcaqds 3.exe File renamed C:\Users\Admin\Pictures\ResolveWait.raw => C:\Users\Admin\Pictures\ResolveWait.raw.fbhrzcaqds 3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3.exedescription ioc process File opened (read-only) \??\B: 3.exe File opened (read-only) \??\G: 3.exe File opened (read-only) \??\J: 3.exe File opened (read-only) \??\R: 3.exe File opened (read-only) \??\W: 3.exe File opened (read-only) \??\I: 3.exe File opened (read-only) \??\N: 3.exe File opened (read-only) \??\O: 3.exe File opened (read-only) \??\T: 3.exe File opened (read-only) \??\Z: 3.exe File opened (read-only) \??\A: 3.exe File opened (read-only) \??\F: 3.exe File opened (read-only) \??\S: 3.exe File opened (read-only) \??\U: 3.exe File opened (read-only) \??\Q: 3.exe File opened (read-only) \??\V: 3.exe File opened (read-only) \??\E: 3.exe File opened (read-only) \??\H: 3.exe File opened (read-only) \??\K: 3.exe File opened (read-only) \??\L: 3.exe File opened (read-only) \??\M: 3.exe File opened (read-only) \??\P: 3.exe File opened (read-only) \??\X: 3.exe File opened (read-only) \??\Y: 3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 3.exe -
Drops file in Program Files directory 20 IoCs
Processes:
3.exedescription ioc process File created C:\Program Files\FBHRZCAQDS-DECRYPT.txt 3.exe File opened for modification C:\Program Files\AddDismount.au3 3.exe File opened for modification C:\Program Files\CompleteInitialize.wma 3.exe File opened for modification C:\Program Files\LockFormat.bmp 3.exe File opened for modification C:\Program Files\ResolveSuspend.jtx 3.exe File opened for modification C:\Program Files\RevokeSkip.dotm 3.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\FBHRZCAQDS-DECRYPT.txt 3.exe File opened for modification C:\Program Files\BlockSet.odp 3.exe File opened for modification C:\Program Files\InstallRepair.xla 3.exe File opened for modification C:\Program Files\ConvertToInvoke.m4a 3.exe File opened for modification C:\Program Files\ExportSearch.pot 3.exe File opened for modification C:\Program Files\SyncAdd.M2V 3.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\8c1b57eb8c1b500920.lock 3.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\FBHRZCAQDS-DECRYPT.txt 3.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\8c1b57eb8c1b500920.lock 3.exe File created C:\Program Files\8c1b57eb8c1b500920.lock 3.exe File created C:\Program Files (x86)\FBHRZCAQDS-DECRYPT.txt 3.exe File created C:\Program Files (x86)\8c1b57eb8c1b500920.lock 3.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\FBHRZCAQDS-DECRYPT.txt 3.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\8c1b57eb8c1b500920.lock 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3.exepid process 1120 3.exe 1120 3.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 544 wmic.exe Token: SeSecurityPrivilege 544 wmic.exe Token: SeTakeOwnershipPrivilege 544 wmic.exe Token: SeLoadDriverPrivilege 544 wmic.exe Token: SeSystemProfilePrivilege 544 wmic.exe Token: SeSystemtimePrivilege 544 wmic.exe Token: SeProfSingleProcessPrivilege 544 wmic.exe Token: SeIncBasePriorityPrivilege 544 wmic.exe Token: SeCreatePagefilePrivilege 544 wmic.exe Token: SeBackupPrivilege 544 wmic.exe Token: SeRestorePrivilege 544 wmic.exe Token: SeShutdownPrivilege 544 wmic.exe Token: SeDebugPrivilege 544 wmic.exe Token: SeSystemEnvironmentPrivilege 544 wmic.exe Token: SeRemoteShutdownPrivilege 544 wmic.exe Token: SeUndockPrivilege 544 wmic.exe Token: SeManageVolumePrivilege 544 wmic.exe Token: 33 544 wmic.exe Token: 34 544 wmic.exe Token: 35 544 wmic.exe Token: SeIncreaseQuotaPrivilege 544 wmic.exe Token: SeSecurityPrivilege 544 wmic.exe Token: SeTakeOwnershipPrivilege 544 wmic.exe Token: SeLoadDriverPrivilege 544 wmic.exe Token: SeSystemProfilePrivilege 544 wmic.exe Token: SeSystemtimePrivilege 544 wmic.exe Token: SeProfSingleProcessPrivilege 544 wmic.exe Token: SeIncBasePriorityPrivilege 544 wmic.exe Token: SeCreatePagefilePrivilege 544 wmic.exe Token: SeBackupPrivilege 544 wmic.exe Token: SeRestorePrivilege 544 wmic.exe Token: SeShutdownPrivilege 544 wmic.exe Token: SeDebugPrivilege 544 wmic.exe Token: SeSystemEnvironmentPrivilege 544 wmic.exe Token: SeRemoteShutdownPrivilege 544 wmic.exe Token: SeUndockPrivilege 544 wmic.exe Token: SeManageVolumePrivilege 544 wmic.exe Token: 33 544 wmic.exe Token: 34 544 wmic.exe Token: 35 544 wmic.exe Token: SeBackupPrivilege 1696 vssvc.exe Token: SeRestorePrivilege 1696 vssvc.exe Token: SeAuditPrivilege 1696 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3.exedescription pid process target process PID 1120 wrote to memory of 544 1120 3.exe wmic.exe PID 1120 wrote to memory of 544 1120 3.exe wmic.exe PID 1120 wrote to memory of 544 1120 3.exe wmic.exe PID 1120 wrote to memory of 544 1120 3.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken