Analysis
-
max time kernel
175s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 20:10
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
3.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
4.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
4.exe
Resource
win10v2004-20220414-en
General
-
Target
3.exe
-
Size
98KB
-
MD5
d840bd5931256bc23c634fab43dafc3e
-
SHA1
cf5d56598c11444cfd4e6e843eee680b8af2eaf7
-
SHA256
a89ff5da7c1c949768bd1f83fede6a02363ec8082b057aa34ea627d4ac81de8a
-
SHA512
44ebe81c50774d2b507ad3ffa135f552f4227436c43e902064a6cdb3f114798041434b3528e1156652565654b89fbe103ebe649a2cf167e389b1713b3be0d974
Malware Config
Extracted
C:\BQGYPGGTN-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/c88c6d209e8ece03
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3.exedescription ioc process File renamed C:\Users\Admin\Pictures\PublishUse.crw => C:\Users\Admin\Pictures\PublishUse.crw.bqgypggtn 3.exe File renamed C:\Users\Admin\Pictures\ReceiveJoin.tif => C:\Users\Admin\Pictures\ReceiveJoin.tif.bqgypggtn 3.exe File opened for modification C:\Users\Admin\Pictures\SplitGrant.tiff 3.exe File renamed C:\Users\Admin\Pictures\SplitGrant.tiff => C:\Users\Admin\Pictures\SplitGrant.tiff.bqgypggtn 3.exe File opened for modification C:\Users\Admin\Pictures\DisconnectSync.tiff 3.exe File renamed C:\Users\Admin\Pictures\DisconnectSync.tiff => C:\Users\Admin\Pictures\DisconnectSync.tiff.bqgypggtn 3.exe File opened for modification C:\Users\Admin\Pictures\EditStart.tiff 3.exe File renamed C:\Users\Admin\Pictures\EditStart.tiff => C:\Users\Admin\Pictures\EditStart.tiff.bqgypggtn 3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3.exe -
Drops startup file 2 IoCs
Processes:
3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\BQGYPGGTN-DECRYPT.txt 3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\9e8ec9e09e8ece0220.lock 3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3.exedescription ioc process File opened (read-only) \??\J: 3.exe File opened (read-only) \??\M: 3.exe File opened (read-only) \??\V: 3.exe File opened (read-only) \??\A: 3.exe File opened (read-only) \??\E: 3.exe File opened (read-only) \??\K: 3.exe File opened (read-only) \??\P: 3.exe File opened (read-only) \??\Q: 3.exe File opened (read-only) \??\U: 3.exe File opened (read-only) \??\F: 3.exe File opened (read-only) \??\G: 3.exe File opened (read-only) \??\I: 3.exe File opened (read-only) \??\N: 3.exe File opened (read-only) \??\B: 3.exe File opened (read-only) \??\H: 3.exe File opened (read-only) \??\L: 3.exe File opened (read-only) \??\O: 3.exe File opened (read-only) \??\R: 3.exe File opened (read-only) \??\S: 3.exe File opened (read-only) \??\T: 3.exe File opened (read-only) \??\W: 3.exe File opened (read-only) \??\X: 3.exe File opened (read-only) \??\Y: 3.exe File opened (read-only) \??\Z: 3.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 3.exe -
Drops file in Program Files directory 37 IoCs
Processes:
3.exedescription ioc process File opened for modification C:\Program Files\InvokeUnpublish.wmf 3.exe File opened for modification C:\Program Files\TestCompare.css 3.exe File opened for modification C:\Program Files\HideStart.docm 3.exe File opened for modification C:\Program Files\OpenComplete.mpeg2 3.exe File opened for modification C:\Program Files\ImportStart.mhtml 3.exe File opened for modification C:\Program Files\GetLock.cfg 3.exe File opened for modification C:\Program Files\InitializeRemove.xlsx 3.exe File opened for modification C:\Program Files\UseAssert.dot 3.exe File created C:\Program Files (x86)\9e8ec9e09e8ece0220.lock 3.exe File opened for modification C:\Program Files\GetCompress.ppsx 3.exe File opened for modification C:\Program Files\DisableConvert.3g2 3.exe File opened for modification C:\Program Files\RedoSubmit.odt 3.exe File opened for modification C:\Program Files\UnblockExport.ogg 3.exe File opened for modification C:\Program Files\CloseComplete.potm 3.exe File created C:\Program Files\9e8ec9e09e8ece0220.lock 3.exe File opened for modification C:\Program Files\AddClear.mov 3.exe File opened for modification C:\Program Files\BackupFind.vsdx 3.exe File opened for modification C:\Program Files\NewReceive.eprtx 3.exe File created C:\Program Files\BQGYPGGTN-DECRYPT.txt 3.exe File opened for modification C:\Program Files\ConfirmAdd.csv 3.exe File opened for modification C:\Program Files\LimitMeasure.rtf 3.exe File opened for modification C:\Program Files\StepPush.txt 3.exe File opened for modification C:\Program Files\SuspendPop.xps 3.exe File opened for modification C:\Program Files\UpdateWait.docx 3.exe File created C:\Program Files (x86)\BQGYPGGTN-DECRYPT.txt 3.exe File opened for modification C:\Program Files\CompleteDismount.png 3.exe File opened for modification C:\Program Files\EditUnblock.ram 3.exe File opened for modification C:\Program Files\ImportReceive.001 3.exe File opened for modification C:\Program Files\RestartClear.odp 3.exe File opened for modification C:\Program Files\SaveSync.jpe 3.exe File opened for modification C:\Program Files\SplitClear.wmf 3.exe File opened for modification C:\Program Files\StepUnpublish.search-ms 3.exe File opened for modification C:\Program Files\CompleteInitialize.tiff 3.exe File opened for modification C:\Program Files\GetResize.mht 3.exe File opened for modification C:\Program Files\RedoBackup.ppsm 3.exe File opened for modification C:\Program Files\RevokeHide.jtx 3.exe File opened for modification C:\Program Files\ConfirmSend.vbe 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3.exepid process 4136 3.exe 4136 3.exe 4136 3.exe 4136 3.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 304 wmic.exe Token: SeSecurityPrivilege 304 wmic.exe Token: SeTakeOwnershipPrivilege 304 wmic.exe Token: SeLoadDriverPrivilege 304 wmic.exe Token: SeSystemProfilePrivilege 304 wmic.exe Token: SeSystemtimePrivilege 304 wmic.exe Token: SeProfSingleProcessPrivilege 304 wmic.exe Token: SeIncBasePriorityPrivilege 304 wmic.exe Token: SeCreatePagefilePrivilege 304 wmic.exe Token: SeBackupPrivilege 304 wmic.exe Token: SeRestorePrivilege 304 wmic.exe Token: SeShutdownPrivilege 304 wmic.exe Token: SeDebugPrivilege 304 wmic.exe Token: SeSystemEnvironmentPrivilege 304 wmic.exe Token: SeRemoteShutdownPrivilege 304 wmic.exe Token: SeUndockPrivilege 304 wmic.exe Token: SeManageVolumePrivilege 304 wmic.exe Token: 33 304 wmic.exe Token: 34 304 wmic.exe Token: 35 304 wmic.exe Token: 36 304 wmic.exe Token: SeIncreaseQuotaPrivilege 304 wmic.exe Token: SeSecurityPrivilege 304 wmic.exe Token: SeTakeOwnershipPrivilege 304 wmic.exe Token: SeLoadDriverPrivilege 304 wmic.exe Token: SeSystemProfilePrivilege 304 wmic.exe Token: SeSystemtimePrivilege 304 wmic.exe Token: SeProfSingleProcessPrivilege 304 wmic.exe Token: SeIncBasePriorityPrivilege 304 wmic.exe Token: SeCreatePagefilePrivilege 304 wmic.exe Token: SeBackupPrivilege 304 wmic.exe Token: SeRestorePrivilege 304 wmic.exe Token: SeShutdownPrivilege 304 wmic.exe Token: SeDebugPrivilege 304 wmic.exe Token: SeSystemEnvironmentPrivilege 304 wmic.exe Token: SeRemoteShutdownPrivilege 304 wmic.exe Token: SeUndockPrivilege 304 wmic.exe Token: SeManageVolumePrivilege 304 wmic.exe Token: 33 304 wmic.exe Token: 34 304 wmic.exe Token: 35 304 wmic.exe Token: 36 304 wmic.exe Token: SeBackupPrivilege 1600 vssvc.exe Token: SeRestorePrivilege 1600 vssvc.exe Token: SeAuditPrivilege 1600 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3.exedescription pid process target process PID 4136 wrote to memory of 304 4136 3.exe wmic.exe PID 4136 wrote to memory of 304 4136 3.exe wmic.exe PID 4136 wrote to memory of 304 4136 3.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-130-0x0000000000000000-mapping.dmp