Analysis
-
max time kernel
170s -
max time network
187s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe
Resource
win7-20220414-en
General
-
Target
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe
-
Size
568KB
-
MD5
f040245046d2f8db8a02400f6416122f
-
SHA1
baaefd2b0624f910c010587b0b45dde7b691dd7e
-
SHA256
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89
-
SHA512
4680860d5607ef4cd9b93d9c33516805040e6a4999109c7cee124755c8334c726c81072423d62abd5240400e5b451f329d7d24f5a9c501b931bfebec01a35809
Malware Config
Extracted
C:\VAUZD-DECRYPT.txt
http://gandcrabmfe6mnef.onion/bb3a3edfbc9fe403
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisableConfirm.png => C:\Users\Admin\Pictures\DisableConfirm.png.vauzd 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\ImportExport.png => C:\Users\Admin\Pictures\ImportExport.png.vauzd 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\MoveResume.raw => C:\Users\Admin\Pictures\MoveResume.raw.vauzd 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\RegisterSuspend.tif => C:\Users\Admin\Pictures\RegisterSuspend.tif.vauzd 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File renamed C:\Users\Admin\Pictures\ConvertFromUnlock.raw => C:\Users\Admin\Pictures\ConvertFromUnlock.raw.vauzd 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File opened (read-only) \??\O: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\P: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\W: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\Y: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\E: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\J: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\I: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\M: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\N: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\T: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\U: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\A: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\B: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\Q: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\R: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\S: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\V: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\H: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\K: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\L: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\X: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\Z: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\F: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened (read-only) \??\G: 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription pid process target process PID 1552 set thread context of 1540 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 1552 set thread context of 1540 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Drops file in Program Files directory 32 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process File opened for modification C:\Program Files\DisableClose.nfo 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\InstallCompress.scf 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\MergeRegister.reg 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\UpdateJoin.pps 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\bc9fe3e0bc9fe40220.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CopyWatch.xps 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\bc9fe3e0bc9fe40220.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\VAUZD-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\bc9fe3e0bc9fe40220.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ClearSync.tiff 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\CompareSend.tiff 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ShowWrite.3gp 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\SuspendTrace.docx 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\UndoAdd.rle 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ExitCopy.scf 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ResumeTest.xml 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files\bc9fe3e0bc9fe40220.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ConfirmSuspend.css 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\SaveDisconnect.mpeg 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\bc9fe3e0bc9fe40220.lock 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\DenyEnable.midi 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\PushHide.mp2v 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\RemoveClose.ttf 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\StopApprove.xsl 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\VAUZD-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\VAUZD-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\VAUZD-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File created C:\Program Files\VAUZD-DECRYPT.txt 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\MergeFormat.avi 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\ProtectInstall.docx 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\StopConnect.search-ms 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe File opened for modification C:\Program Files\UpdateUnprotect.asx 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exepid process 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 532 wmic.exe Token: SeSecurityPrivilege 532 wmic.exe Token: SeTakeOwnershipPrivilege 532 wmic.exe Token: SeLoadDriverPrivilege 532 wmic.exe Token: SeSystemProfilePrivilege 532 wmic.exe Token: SeSystemtimePrivilege 532 wmic.exe Token: SeProfSingleProcessPrivilege 532 wmic.exe Token: SeIncBasePriorityPrivilege 532 wmic.exe Token: SeCreatePagefilePrivilege 532 wmic.exe Token: SeBackupPrivilege 532 wmic.exe Token: SeRestorePrivilege 532 wmic.exe Token: SeShutdownPrivilege 532 wmic.exe Token: SeDebugPrivilege 532 wmic.exe Token: SeSystemEnvironmentPrivilege 532 wmic.exe Token: SeRemoteShutdownPrivilege 532 wmic.exe Token: SeUndockPrivilege 532 wmic.exe Token: SeManageVolumePrivilege 532 wmic.exe Token: 33 532 wmic.exe Token: 34 532 wmic.exe Token: 35 532 wmic.exe Token: SeIncreaseQuotaPrivilege 532 wmic.exe Token: SeSecurityPrivilege 532 wmic.exe Token: SeTakeOwnershipPrivilege 532 wmic.exe Token: SeLoadDriverPrivilege 532 wmic.exe Token: SeSystemProfilePrivilege 532 wmic.exe Token: SeSystemtimePrivilege 532 wmic.exe Token: SeProfSingleProcessPrivilege 532 wmic.exe Token: SeIncBasePriorityPrivilege 532 wmic.exe Token: SeCreatePagefilePrivilege 532 wmic.exe Token: SeBackupPrivilege 532 wmic.exe Token: SeRestorePrivilege 532 wmic.exe Token: SeShutdownPrivilege 532 wmic.exe Token: SeDebugPrivilege 532 wmic.exe Token: SeSystemEnvironmentPrivilege 532 wmic.exe Token: SeRemoteShutdownPrivilege 532 wmic.exe Token: SeUndockPrivilege 532 wmic.exe Token: SeManageVolumePrivilege 532 wmic.exe Token: 33 532 wmic.exe Token: 34 532 wmic.exe Token: 35 532 wmic.exe Token: SeBackupPrivilege 1168 vssvc.exe Token: SeRestorePrivilege 1168 vssvc.exe Token: SeAuditPrivilege 1168 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exepid process 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exepid process 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exedescription pid process target process PID 1552 wrote to memory of 1540 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 1552 wrote to memory of 1540 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 1552 wrote to memory of 1540 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 1552 wrote to memory of 1540 1552 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe PID 1540 wrote to memory of 532 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe PID 1540 wrote to memory of 532 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe PID 1540 wrote to memory of 532 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe PID 1540 wrote to memory of 532 1540 41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe"C:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exeC:\Users\Admin\AppData\Local\Temp\41e4f65d0efb6d65436862aab7f0e0e1518989d902ede5583e7f198352d98d89.exe"2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-62-0x0000000000000000-mapping.dmp
-
memory/1540-58-0x000000000047B177-mapping.dmp
-
memory/1552-56-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/1552-57-0x0000000074F91000-0x0000000074F93000-memory.dmpFilesize
8KB
-
memory/1552-59-0x0000000077030000-0x00000000771B0000-memory.dmpFilesize
1.5MB