gandcrab | d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

General

Target

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
Size

183KB
MD5

07fadb006486953439ce0092651fd7a6
SHA1

e42431d37561cc695de03b85e8e99c9e31321742
SHA256

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0
SHA512

5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437
SSDEEP

3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

Score

10^/10

gandcrab backdoor ransomware spyware stealer

Malware Config

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Drops startup file 2 IoCs

Processes:

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RWRSF-DECRYPT.html	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\7b3bd6937b3bd17e516.lock	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

description	ioc	process
File opened (read-only)	\??\O:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\T:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\Y:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\A:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\F:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\K:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\V:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\H:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\M:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\S:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\X:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\E:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\I:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\P:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\L:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\N:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\Q:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\R:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\U:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\B:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\G:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\J:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\W:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened (read-only)	\??\Z:	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

Drops file in Program Files directory 39 IoCs

Processes:

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

description	ioc	process
File created	C:\Program Files\RWRSF-DECRYPT.html	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ConvertDebug.wmx	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\MoveRequest.midi	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\UnregisterGrant.ttc	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\BackupAssert.css	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ExportCompare.m4a	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\GetWrite.xps	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ConvertFromInstall.css	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\DisconnectSwitch.DVR-MS	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\PopDisconnect.WTV	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ReadUnblock.rtf	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\UpdateComplete.asp	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\WaitSync.m4a	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\UnpublishRestore.asf	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\BackupInvoke.mpeg3	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ConvertRemove.wpl	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\MoveShow.mpeg	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ReadConvertTo.docm	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ResetShow.clr	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\SubmitSet.tif	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File created	C:\Program Files (x86)\7b3bd6937b3bd17e516.lock	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\CloseStep.aifc	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\EnterDisable.aif	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\EnterShow.iso	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ExportConvert.emf	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\StopNew.xsl	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File created	C:\Program Files (x86)\RWRSF-DECRYPT.html	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File created	C:\Program Files\7b3bd6937b3bd17e516.lock	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\GroupSkip.nfo	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\RedoConvert.asf	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\RestartMount.mpeg2	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\SwitchEnable.ram	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\TraceInstall.wma	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ConfirmRemove.M2TS	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\ConfirmSet.crw	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\FormatPop.mhtml	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\GrantStop.wma	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\OpenSet.svgz	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
File opened for modification	C:\Program Files\OptimizeExpand.mov	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

pid	process
972	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
972	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
972	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
972	d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe

C:\Users\Admin\AppData\Local\Temp\d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe
"C:\Users\Admin\AppData\Local\Temp\d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:972