Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 03:35

General

  • Target

    421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe

  • Size

    410KB

  • MD5

    3a6c7506de79ae783f718bc6701fd244

  • SHA1

    a5601ae8bc95cbb887aac2face46d911527c6c2b

  • SHA256

    421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de

  • SHA512

    3010eda9988f31b642b130e71c401dcb9642d2e2c0518741e4455e4e9245d8d4484b8dcd77e124dde798567efa74b725b2b831ecd958f72d2230efa37f11707c

Malware Config

Extracted

Path

C:\FTTXQHVO-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FTTXQHVO The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/34850e12b23367ae | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJbw0Ty9cDGqCWBdEsNhnYwiuisxPNcgPD+3/nJtPDikgdk71gP8UZKnfolR7AOPRgezxj6pdwuqFIF7l9kN0HyFwnu/eq3fcXXaJbw6huc4t/8LMKwj8dro1+/og/nTzVvKXcOKxValcWCmthBdB/Eujs5rXyOOhAvVC3W/+grvutY6V0oHVo5gVCMjxDZihQ/RdIBCzxKfjfYAsP0zI3wDEysGgnAzIRTJfogymsircOqYNLCdUN0TsMzQhJvIOJhXp3e8wxU1mtB3Uka9arR3mJqFeS5E9eN2MJ/AL/zlDi9HXZ9qAnQ1cnVrNB4ikz2VU1mgH/ZJi2dN6JZYdnlnQZV9sH6Iy0wiBTYtbdLXj70pDjVJlj2vto6MKgDl8/zBRCV8g8rXAMmWC9gEKrJNMYyBwhZt5YzNoOWngYuiNO0zb1+UX5XvqgpBi4ZeaHQG8BFvxoz4S160zaT5XbO80G1o6d82a8kfKjCa2JEAjmnZwBINMRiN9pLKTA857GSlteh743DljLc4YDKtQqfRPLBH1pN5E54Uu86kNAb7p32H2h6fF0+7R9tY6DOU7v5+TOzC497jMcMc6BvPU1JDDspd8OEymn8UjvCAbNH4wq252U0i3cYDgi4NNem4O9twV/skAiid0BXs2aJsbfdC361ntdgaB8O//3ittx2HR3PTCTtW3p8goPurwN2gopdYqYTB34HpamiJxYrLqCra+KnEE6UadNtXbL5knpSEz7cvnvU7TQBABJA1jsuwnERJ6Bh+nOIJ6fz7DmkUDMKOOD2Am4nd4T+OxVLof+HHT2Nwfn4d247aSx0agv/DoMZrU842SnzLAAMNcLwlZ9wJpKRjfYwFJjSJFvQSE2IIb4jwGJiPRCcda5iKe1Xo4OBqwIICC9QnyJwFpbceYXZc3XmNIYsPLB1Ug7FbWBMMYony3nqd/D/rDJ25Y94coKRujtCxFeiJ6Ek7UxSh+iZsUUTueyzozWtaqrFB4Swnd9VsM09KOotF4h4+6Ti3uy5xYar4A2+qWQV/d09waVIqERQUsib5jKQBNIW34PuBQhyo/zNr0y3gQKVpXOpVZbR1AJYBi/eTqBJMB0DdHqI8psJQKHuKBhyqB8mKUdnSWa0RvR4y3eCQlcn2hAdVEtCA1wnMYcHuJhqBGSg2PlykidsZRVLQxQk1SJO73V4D8lmIRj4SsodU/rrEYWU4aliskBVsK6hPMDuEB1GPvXfJ9GvobMIcpuHdbeaBJ2QdbPpU/ymVlcZeT5wIB06GJGsH61cIGtgmVAYu37WjocM0U15dUX5m8EUZacSJeKKUYXXQtAxALgHT2QuydGA28XHH4fjCbATZ8MOEhC+rBaprjUIyoZuPt58VaYq6FOUav4z7p9Va2GaDU9vI0S1gvx5ruhzLgzuvbRjVJXBn/JWmpqvLKnXhC4hBSh2CjvVMOi3M9kXUjcLGUAaJPuvhwEYPQSKePKBqP01T93ZzzrAFEikALQKFYv4OFzhOqgaYsC46q8XjN4hPOfUmxjysrJuzGv7QbYPuERplK4cGl1yOA5vudUR1fCttumlrBBmxzquYTSUlYvUANMcGmM9aqvIY/3rCfmoya6T4huMTenWY/ou2cgjJrROE+f0wkO2734FC/jIg3vIqLaodM5CO25bdrBAK5Msg/LrBFS7nx33JYZdiKAF6JIydZ+TODHxb5ffQhTfr/PUtJ7T0BDV9eptLTQz6/YMgMzAnm/flhiJmqVZAO7NiWQbW+ZY+FsP6uHy0259FzLGH+f0oKlqVB7Ng7uBhtmt8p4jfFhlul19MHQ3wkSCv0Usb2X7LTiitA04zANzdgeHy11hjc+OOUI/z7F2YqhLoRsiFTKORcFr9opzsP9FyEmPkhviXKl9IvoQfccLi6GGuCvSoBE99Liauz1gQrg4P/Xa4xp9x9pPo7AAuLlJPt2XuqbFudfT1Q+UfS+Q3ejKojRVU1WEx9vFYoXl1hhYZfbrznoeCaTZDZdc0ICJRWq+ighYGjTVRpyNWVGD6FwHfvoGiLI/P5wBPEzeQjJlgyNbGAsGDwMHIRhyEs4C24ZZibw8ubsvzkxMIvdaCTHVLWogdp9h59bWHhlWYgFZt7B7AEZhULccRy92A4P3HterSBjdIfH/0dPBRvbHoUQOfI5yGJl2pcswiXqmwm+Uw0nJ1UaAxVh/e88MAGIi0OyGAsh9Ak/D0MfG6gCklZThHVD9cT39Gk/gqqsA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZDToFRtnYV7ntWsrfYTGmHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4LF2kUDB5eKk/zM2EOskGolYblqABiTtqxHREYgb9CcE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJpJFswNcoAhPJnK0+Ce5dALefhGEwg7NrKg3sxA1KwA7/ZizpChFP3vXLMuar1wYZJ3RPRgGKcTnQ1ljgcH8bmQvf3SygQSZnxLJ6lsKw7XIGVYvpajeyfEEcPsAgPy9N3X8IQ3zC3qZcEuPtMkirBZ9MPJGmHt4OJb+RRYcPqYktV/LuurOUzA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/34850e12b23367ae

Signatures

  • GandCrab payload 5 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

    suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
    "C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe
      "C:\Users\Admin\AppData\Local\Temp\421ebfccaa01f1e6577b0fb952e4a78bbd95f1f2b08b06bac0978dbb84ade5de.exe"
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1944
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

1
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    589c442fc7a0c70dca927115a700d41e

    SHA1

    66a07dace3afbfd1aa07a47e6875beab62c4bb31

    SHA256

    2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

    SHA512

    1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    3f9691c1e1baab31fae0a489d531b175

    SHA1

    276d732915bc82fff823d7ad1da1e7893f9f9009

    SHA256

    089034cdca0dca253e37b107cac0ea03c3de3a2baffc21a8800116c8b3733fcd

    SHA512

    93aa032e9a7c14fdd3922b2599b136b61c90b4caadda9e3afda0f8db0b096d38811398f4b4aba6e8c596dda410f12548293d7874cd0fdf9b90ba9cb19cb3b195

  • memory/1184-57-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

  • memory/1184-58-0x0000000000406217-mapping.dmp
  • memory/1184-61-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

  • memory/1184-62-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

  • memory/1184-63-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

  • memory/1944-64-0x0000000000000000-mapping.dmp
  • memory/1980-54-0x0000000001170000-0x00000000011DA000-memory.dmp
    Filesize

    424KB

  • memory/1980-55-0x0000000076C01000-0x0000000076C03000-memory.dmp
    Filesize

    8KB

  • memory/1980-56-0x0000000000580000-0x00000000005A0000-memory.dmp
    Filesize

    128KB