Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 03:59
Static task
static1
Behavioral task
behavioral1
Sample
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe
Resource
win10v2004-20220414-en
General
-
Target
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe
-
Size
686KB
-
MD5
efa2a4323f392f4200b1955e61c8faa9
-
SHA1
1c2ff80ad2942b508c9e410a1403ee8ec05bf6b7
-
SHA256
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629
-
SHA512
9c4253d4062dc43c4dfc18c0a49bafb9fc74bab4ced012404f7d9996204784bf684e2810abfa81fcc48ccea780f08600d67ab3b0a41ce867d09399e5c162e788
Malware Config
Extracted
C:\ODFGEIT-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/85004426a53c29ec
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exedescription ioc process File renamed C:\Users\Admin\Pictures\OutCheckpoint.crw => C:\Users\Admin\Pictures\OutCheckpoint.crw.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\PublishRead.png => C:\Users\Admin\Pictures\PublishRead.png.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Users\Admin\Pictures\ResumeUnpublish.tiff 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\ResumeUnpublish.tiff => C:\Users\Admin\Pictures\ResumeUnpublish.tiff.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\DismountPublish.tif => C:\Users\Admin\Pictures\DismountPublish.tif.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\MeasureSelect.tif => C:\Users\Admin\Pictures\MeasureSelect.tif.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\StepProtect.raw => C:\Users\Admin\Pictures\StepProtect.raw.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\CompressHide.png => C:\Users\Admin\Pictures\CompressHide.png.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\ConvertFind.tif => C:\Users\Admin\Pictures\ConvertFind.tif.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\EnableComplete.crw => C:\Users\Admin\Pictures\EnableComplete.crw.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\SearchNew.png => C:\Users\Admin\Pictures\SearchNew.png.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\UnprotectPop.raw => C:\Users\Admin\Pictures\UnprotectPop.raw.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\UpdateBlock.png => C:\Users\Admin\Pictures\UpdateBlock.png.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File renamed C:\Users\Admin\Pictures\BackupConvertFrom.tif => C:\Users\Admin\Pictures\BackupConvertFrom.tif.odfgeit 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exedescription ioc process File opened (read-only) \??\B: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\G: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\H: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\K: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\M: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\N: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\T: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\Z: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\A: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\E: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\J: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\Q: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\R: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\S: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\W: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\F: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\L: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\P: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\V: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\Y: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\I: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\O: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\U: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened (read-only) \??\X: 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe -
Drops file in Program Files directory 23 IoCs
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exedescription ioc process File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\ODFGEIT-MANUAL.txt 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\a53c2e0fa53c29ed20.lock 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ODFGEIT-MANUAL.txt 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\ODFGEIT-MANUAL.txt 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\ConvertFromExpand.ppsm 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\ResetExit.dot 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\UninstallClear.jpeg 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\a53c2e0fa53c29ed20.lock 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ODFGEIT-MANUAL.txt 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files\a53c2e0fa53c29ed20.lock 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\ConvertToEnter.avi 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\MoveDeny.docm 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\RenameFormat.xlsb 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\SaveCopy.vstx 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\SelectSwitch.dib 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\SubmitUse.wma 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\SyncRead.7z 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\CloseResolve.ini 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\a53c2e0fa53c29ed20.lock 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\CompressDisable.mpeg2 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File opened for modification C:\Program Files\WaitMerge.reg 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\a53c2e0fa53c29ed20.lock 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe File created C:\Program Files\ODFGEIT-MANUAL.txt 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1532 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exepid process 1056 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe 1056 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1992 vssvc.exe Token: SeRestorePrivilege 1992 vssvc.exe Token: SeAuditPrivilege 1992 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.execmd.exedescription pid process target process PID 1056 wrote to memory of 1620 1056 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe cmd.exe PID 1056 wrote to memory of 1620 1056 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe cmd.exe PID 1056 wrote to memory of 1620 1056 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe cmd.exe PID 1056 wrote to memory of 1620 1056 41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe cmd.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe PID 1620 wrote to memory of 1532 1620 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe"C:\Users\Admin\AppData\Local\Temp\41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-54-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1056-55-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1056-56-0x00000000005B0000-0x00000000005D0000-memory.dmpFilesize
128KB
-
memory/1532-58-0x0000000000000000-mapping.dmp
-
memory/1620-57-0x0000000000000000-mapping.dmp