Analysis
-
max time kernel
145s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 20:10
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
3.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
4.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
4.exe
Resource
win10v2004-20220414-en
General
-
Target
4.exe
-
Size
98KB
-
MD5
eae1d32442fadc2b737837adada39c54
-
SHA1
3779ec749f00515e31eb4fff4ae8205f44a6ea80
-
SHA256
2e818946ec3ef46b1274aa212fdf73c2214ea00f8db0533cbc4fba353a60ce5a
-
SHA512
52151027c9ee32466ac34852ac9eec07a06fedab15309ef3a4d3b4138e39b7856dbb798e3b222a4cab8242532e8066001d785c64856830ee1d902139a7c666f0
Malware Config
Extracted
C:\AZMCHWUUQ-DECRYPT.txt
gandcrab
http://gandcrabmfe6mnef.onion/89f7458967f6fcbf
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportTest.png => C:\Users\Admin\Pictures\ExportTest.png.azmchwuuq 4.exe File renamed C:\Users\Admin\Pictures\ExportWait.raw => C:\Users\Admin\Pictures\ExportWait.raw.azmchwuuq 4.exe File renamed C:\Users\Admin\Pictures\UninstallSelect.tif => C:\Users\Admin\Pictures\UninstallSelect.tif.azmchwuuq 4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4.exedescription ioc process File opened (read-only) \??\J: 4.exe File opened (read-only) \??\L: 4.exe File opened (read-only) \??\M: 4.exe File opened (read-only) \??\N: 4.exe File opened (read-only) \??\B: 4.exe File opened (read-only) \??\F: 4.exe File opened (read-only) \??\G: 4.exe File opened (read-only) \??\H: 4.exe File opened (read-only) \??\S: 4.exe File opened (read-only) \??\V: 4.exe File opened (read-only) \??\W: 4.exe File opened (read-only) \??\Y: 4.exe File opened (read-only) \??\E: 4.exe File opened (read-only) \??\I: 4.exe File opened (read-only) \??\O: 4.exe File opened (read-only) \??\R: 4.exe File opened (read-only) \??\Z: 4.exe File opened (read-only) \??\K: 4.exe File opened (read-only) \??\Q: 4.exe File opened (read-only) \??\T: 4.exe File opened (read-only) \??\X: 4.exe File opened (read-only) \??\A: 4.exe File opened (read-only) \??\P: 4.exe File opened (read-only) \??\U: 4.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 4.exe -
Drops file in Program Files directory 41 IoCs
Processes:
4.exedescription ioc process File created C:\Program Files\67f6fb5c67f6fcbe20.lock 4.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\AZMCHWUUQ-DECRYPT.txt 4.exe File created C:\Program Files (x86)\AZMCHWUUQ-DECRYPT.txt 4.exe File opened for modification C:\Program Files\DismountRead.ADT 4.exe File opened for modification C:\Program Files\HideSwitch.mp4 4.exe File opened for modification C:\Program Files\ImportReset.ttf 4.exe File opened for modification C:\Program Files\InitializeHide.txt 4.exe File opened for modification C:\Program Files\RevokeMerge.ps1xml 4.exe File opened for modification C:\Program Files\UseTrace.wps 4.exe File opened for modification C:\Program Files\WaitUpdate.xls 4.exe File created C:\Program Files (x86)\67f6fb5c67f6fcbe20.lock 4.exe File opened for modification C:\Program Files\ConvertToUnblock.xht 4.exe File opened for modification C:\Program Files\InitializeUndo.TS 4.exe File opened for modification C:\Program Files\InstallPublish.wmx 4.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\67f6fb5c67f6fcbe20.lock 4.exe File opened for modification C:\Program Files\CompleteRead.wmx 4.exe File opened for modification C:\Program Files\ConvertToUnpublish.vb 4.exe File opened for modification C:\Program Files\EditPing.mp4v 4.exe File opened for modification C:\Program Files\FormatExit.001 4.exe File opened for modification C:\Program Files\EnableEnter.mov 4.exe File opened for modification C:\Program Files\ExitSubmit.mht 4.exe File opened for modification C:\Program Files\UnlockProtect.vstx 4.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AZMCHWUUQ-DECRYPT.txt 4.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\AZMCHWUUQ-DECRYPT.txt 4.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\67f6fb5c67f6fcbe20.lock 4.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\67f6fb5c67f6fcbe20.lock 4.exe File opened for modification C:\Program Files\ConvertDeny.jfif 4.exe File opened for modification C:\Program Files\EnterRevoke.ps1 4.exe File opened for modification C:\Program Files\PingConvert.TS 4.exe File opened for modification C:\Program Files\StopDebug.wma 4.exe File opened for modification C:\Program Files\SwitchEnable.aiff 4.exe File opened for modification C:\Program Files\UnblockRegister.mpe 4.exe File opened for modification C:\Program Files\UseExport.M2T 4.exe File opened for modification C:\Program Files\WatchStop.wdp 4.exe File created C:\Program Files\AZMCHWUUQ-DECRYPT.txt 4.exe File opened for modification C:\Program Files\AddExport.mpe 4.exe File opened for modification C:\Program Files\BlockDeny.TS 4.exe File opened for modification C:\Program Files\OutRestore.mpeg2 4.exe File opened for modification C:\Program Files\PopWrite.bmp 4.exe File opened for modification C:\Program Files\ShowPing.bmp 4.exe File opened for modification C:\Program Files\SyncSkip.vstx 4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4.exepid process 1664 4.exe 1664 4.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 556 wmic.exe Token: SeSecurityPrivilege 556 wmic.exe Token: SeTakeOwnershipPrivilege 556 wmic.exe Token: SeLoadDriverPrivilege 556 wmic.exe Token: SeSystemProfilePrivilege 556 wmic.exe Token: SeSystemtimePrivilege 556 wmic.exe Token: SeProfSingleProcessPrivilege 556 wmic.exe Token: SeIncBasePriorityPrivilege 556 wmic.exe Token: SeCreatePagefilePrivilege 556 wmic.exe Token: SeBackupPrivilege 556 wmic.exe Token: SeRestorePrivilege 556 wmic.exe Token: SeShutdownPrivilege 556 wmic.exe Token: SeDebugPrivilege 556 wmic.exe Token: SeSystemEnvironmentPrivilege 556 wmic.exe Token: SeRemoteShutdownPrivilege 556 wmic.exe Token: SeUndockPrivilege 556 wmic.exe Token: SeManageVolumePrivilege 556 wmic.exe Token: 33 556 wmic.exe Token: 34 556 wmic.exe Token: 35 556 wmic.exe Token: SeIncreaseQuotaPrivilege 556 wmic.exe Token: SeSecurityPrivilege 556 wmic.exe Token: SeTakeOwnershipPrivilege 556 wmic.exe Token: SeLoadDriverPrivilege 556 wmic.exe Token: SeSystemProfilePrivilege 556 wmic.exe Token: SeSystemtimePrivilege 556 wmic.exe Token: SeProfSingleProcessPrivilege 556 wmic.exe Token: SeIncBasePriorityPrivilege 556 wmic.exe Token: SeCreatePagefilePrivilege 556 wmic.exe Token: SeBackupPrivilege 556 wmic.exe Token: SeRestorePrivilege 556 wmic.exe Token: SeShutdownPrivilege 556 wmic.exe Token: SeDebugPrivilege 556 wmic.exe Token: SeSystemEnvironmentPrivilege 556 wmic.exe Token: SeRemoteShutdownPrivilege 556 wmic.exe Token: SeUndockPrivilege 556 wmic.exe Token: SeManageVolumePrivilege 556 wmic.exe Token: 33 556 wmic.exe Token: 34 556 wmic.exe Token: 35 556 wmic.exe Token: SeBackupPrivilege 656 vssvc.exe Token: SeRestorePrivilege 656 vssvc.exe Token: SeAuditPrivilege 656 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4.exedescription pid process target process PID 1664 wrote to memory of 556 1664 4.exe wmic.exe PID 1664 wrote to memory of 556 1664 4.exe wmic.exe PID 1664 wrote to memory of 556 1664 4.exe wmic.exe PID 1664 wrote to memory of 556 1664 4.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken