Overview

overview

10

Static

static

41fb0d5abf...29.exe

windows7_x64

10

41fb0d5abf...29.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe

  • Size

    686KB

  • MD5

    efa2a4323f392f4200b1955e61c8faa9

  • SHA1

    1c2ff80ad2942b508c9e410a1403ee8ec05bf6b7

  • SHA256

    41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629

  • SHA512

    9c4253d4062dc43c4dfc18c0a49bafb9fc74bab4ced012404f7d9996204784bf684e2810abfa81fcc48ccea780f08600d67ab3b0a41ce867d09399e5c162e788

Score
10/10
gandcrabbackdoorransomwarespywarestealer

Malware Config

Extracted

Path

C:\WHIRMP-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WHIRMP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c547bbe5e6e70bed | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAG4unqF8YRgkDln3Uk/UJmYk3psHOXZO5536/5/GRsQpn5oCY2SGnPUZwBEdrD1AfErnnKz2pPUdcJTxTeUzxkp85LCV+H9J7oEXx0XQBgR+WRKtjzclI3CyKbNeqBNy8QR+MpWO8xDU/WllveZ7uj8mfA5Tb1N4MPn78TRtQitJJm3ABoSEjxwdGclCbyc1h61BXRCsTiWeVf3Mh2nvOFTTbR0O3cf8YepH/zNFUV802/CJU0AKJBKrFHaVbI6exMY+C5uUfJSH7mOBNAkXTx8fjX1EGz3eRFr3baEHK0J93W5nwDusDv8AJttEvHnPcRNwNjVYgvoKijsWjgVr9MCn+YSI4+hs/0tpask7cDkWuZltpJ5NEz5i9YTqJK1k6nHWrSmvbrGmE+IZk/Xgw5fWqhTx7+Ihy7KYcHHVebtrv6ZSP8RgJTpCJbbc95MgtcX0N8+poD8WFMMXDmOTLRGiwIf0mauhJKPh4RaR11iL68o5WwjtJZ7OO5lKGzxNSt+upaMudkJoEzezUruphLXvEmIPRqpvJo5VSx7iYx5BxI2rG2xNsjkJ1xHkKV0zifPYfgDbJEE5yJT3z4QgV+ZWp2a/LK10vE29fivEz6FDqwfVWJEIa0v4qbFS2vd99tmxMd+4+vqveVKnNHtV9jNsMz5zYWEpvt/jkr8mIPnWzAnigX5OC51loU/Bjc/iYIYXw2Gee9AIZ/67AcajYlzsl0njYfl2dIXi2xoM6ZX2vBpVbYSB2cWz1q4XRy7fAprSukHP0HFvnTd+Nmch3Fwom6wXJaoZcq1AGbXdIwAnunYVg5u2Lxyc8L+lKZ8G2RkV8f4Zs/7C8+vIv5aph114WtKJopY51qNuEsUPxmF8u0Xo3hwD+J+ZfzCK/UgrhXH1OFj8p2tUoALyPsOrgwZM+M+I8iZCbv390RIQq94XBJVkR8at2hpFT9FfCBQXNgjj4F4D6wjtPccosIRqOQJPADjd0AHPU2nRTa+7Q/prJ8GIireXfkGQguE1AWAhfgScL0JwSXVNTn6GwoC5Wf3fKYDJ/4FQeMYBR3bKOYhP5hAktQ62Pqi2TbxMEd90T+qZqlxsaMXoMBPmiuPssRifFHXDHbv14YEELQmT2ZllbXAnyQt7sW9yAo+UFjr+5OBxqI/ILGICT4c5rzOO0te6IxckewEOMmJuKzO1ZLn2u/EOMP1cR6uYXywOKYaaLxmrAZvof+2J7E/JVY9HpL95hWIqxKBvIYSH6N7OxvVRw2aWyVdQ0F/s0tnFg0qNV5L8+gpvlnV/DhuXO5glseKBZEKLnNgV8tlLBeIRi3B6ZdDWNq4jIWBJpEjY9FGHB9YMJytM2xPX7Iu3sNq8g/yqLXhSbI0fQqJBOj9omydW13JRT4d8aPXAUbFvPJothMpxk5rpyMDIA7ip7iHMe+6wHU0qeNQRVtHeO/4111s61bMH8b9ULEWAOu0RE0PrErHTwRoMEravzGY6plDEGG9IFBIg1DesigvFAmThh+TY5z/7AkeCW2rwxOy1vEruvkBETjGEHC2y3AbpzY7Ylz/olEzRJD61h9rj+T23F/w7aUux/6uY4Z5pCz/rFv3OacRPEaKgnsrsSTCm2boGNVYM9EeFKEqh7S+nCK+2cjgW54tkHqvhjZUlEkBkoO8A7BtXiBXo2SYDTs7SEdOi0Q4z/SlrZKTqGtHfMTx79ChO6XR+kW+FSJsvp7smUbbX55AN1CYDhc5QLztOZfbDNmIV9V5tacLp695gI2u/Bvkkzg4w7X5INkxvk9818Bo84R5ZTBMbGpqXFBRe9IY40eWquGRul6EUkZ01+34DrQ8gLoSzuNLzbTngNpA6kg8sP+DSvF+7Nwhio8aJzDCtYs3Rbssxjv7TMzKP87msZab/nltTNX/J7OrJ6g5Vccqxs6WolUk7KiFnJGuKxEokddFsr+T6UUGZFcc/jwv2te1AY3PQ0JEZBkAV8ACSj9Bm8aMhByHRq16fHjXfb0EGP7g1MJWqNiWf7vw86bx29ukWFJgp1jElPN6cJXKBiLIQaSJKwBAg+W9mJ4bh5ECrjFsX7ENdgLVeIeI8WB8QFY2Cbf4gS2G3bkMotemaN4zAHB2pt5R2fqY/8sb0OgEGLAZqyAdGVMnuGiZnV6Zunu3T8jyn/PN7+hAykNwAVP70MI6Yfz0is5uFUWd2Ytkk8hFdHNKLlmd545DJs6h/VcWOZxVAfWO3CDl/R65ZnqGzPRnucv4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD09MrJNpDSAvGVsuDaRXvIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJLtAIBiBqqcZsR7K3ZLHJmYGRikfVP97y/PM3LOHjDaP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFqZ2APDWx5ShDudroN1oI6iqVw+mvqAdvYbwHrtgyoy8P1f2lWzmT7qd4AOw4gTGwIUyBb8YftNxTLWijqbjEwB/itTONKJOg3o3LWKn+7wkdvCyij4FNEr9E4CN7AJnhnNRKIBD1XUGeyfaMbJ0e1lo/q+RXezYEh3TGCu/rONcZPBaVdco= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/c547bbe5e6e70bed

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe
    "C:\Users\Admin\AppData\Local\Temp\41fb0d5abfce450b71c05c46fe04ea03c31264c7474832d9979dbb1d03865629.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
      2⤵
        PID:4424

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2848-130-0x00000000023F0000-0x0000000002410000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2848-131-0x0000000000400000-0x00000000004B1000-memory.dmp
      Filesize

      708KB

      Download
    • memory/4424-132-0x0000000000000000-mapping.dmp
      Download