Overview

overview

10

Static

static

10

17ffd90d20...e1.dll

windows7-x64

1

1caf510598...e1.exe

windows7-x64

10

1d88c47417...67.exe

windows7-x64

1

1ecb597741...af.exe

windows7-x64

2a5fe7d49f...b5.exe

windows7-x64

1

2c1aa4fa14...dc.exe

windows7-x64

8

34d62f47e1...6e.exe

windows7-x64

3

38f1b8c868...05.exe

windows7-x64

10

40d8e3dae5...04.exe

windows7-x64

10

410ee08c8a...59.exe

windows7-x64

6

423b7b37b1...42.exe

windows7-x64

1

4315b6e87c...0b.exe

windows7-x64

7

453c6fe9e1...91.exe

windows7-x64

1

4a841216cb...37.exe

windows7-x64

1

4e180437ef...a9.exe

windows7-x64

1

4fb989bc0f...00.exe

windows7-x64

10

55bdc39b0b...70.exe

windows7-x64

10

5a1b6ba55f...c3.exe

windows7-x64

1

5f056a4a7a...4c.exe

windows7-x64

7

6709db0a92...53.exe

windows7-x64

9

69add888bc...df.exe

windows7-x64

7

6af766a07c...20.exe

windows7-x64

10

719a339594...44.exe

windows7-x64

7

71a20e2700...db.exe

windows7-x64

1

7acc03a357...fd.exe

windows7-x64

7

7bd3e8a108...5f.exe

windows7-x64

1

8034ef305b...74.exe

windows7-x64

1

88be20529e...cb.exe

windows7-x64

8e6c6b616e...19.exe

windows7-x64

7

907c21dd04...b0.exe

windows7-x64

7

9b1d7a498b...21.exe

windows7-x64

7

9b7e5d2fdc...8b.exe

windows7-x64

7

Resubmissions

07/09/2023, 14:45

230907-r45fysaf5s 10

07/09/2023, 14:12

230907-rjbyxaad5s 10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2023, 14:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe

  • Size

    349KB

  • MD5

    eb7138741adc746f8953a3db50d9e235

  • SHA1

    c0adbd63648052edacdf65f74ce1ce9701125570

  • SHA256

    4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00

  • SHA512

    41d4a0aadbe055f6b22ead1bcc407a53e02075218e48aae18d2df5bf23f87fad0c8609725fa60e89de6fc67041acd41303c0505d1b88ddc06b7ed916a5981f8a

  • SSDEEP

    6144:YPNS/+PNS/t7VggtOXOICLcF8t+JKrllVtqfLJC:YPPPiHcXOIFyqwjtqfLQ

Score
10/10
gandcrabbackdoorransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\OUBFQI-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OUBFQI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAAp2s2ar3ePG/KIzNVKjYlJ8qeNMPEWJgFvblaGFZFXMqVnXR+Ul/Yuw+EenOuqOhl5fTULHb5h4zPW7k0V9TECzfX4D1owuZWsi8RbafpGbjMCf9mjSmGhnA4yZ2yaglZWn9VDQttZ42zULrzOrz0fkTCDi+r/1tPOkWFnK/JLpLM64WXG7Ul5Z8H6vt1G1XNBNmWHjtjTT93AGNs3PKkiIGkviiJLKie5FPUqLgMUyIATYHzwSMFYtQ4Lmrye0cON333DFDRnXUIhh1nSDftics1rljXxgmdb00oHmTtrh3V6H8pbMxKfXLnq9dREglHvrFnStlf8M8iSDrtLSJU/aMUWUwvjv6AfHkTfmaJXXV+Za+6KymsJ8tCKSVGiR1kWN0MIiZOg+PaPcYAquAgB5hyd5NIXRY/bq0wmGuU1JQmB+rsV7JTWSdcZXF53aY3I3vs/6dmLDUfI1gmokXlCv7Wyp1by+X6ZhQpLz4n7ryZF6xQ+OEJTGl6ikwfq83dCVpxGFiB8SV+3UGMjyXq/B7LReriKuh0awMmunncm3ZpDnW3GuLYS2GNcMH2sO8u2kgce3jP3TgGE7IqiTlqPfyh0VtVWvDb4mIEHBexh48ZiwiLAAS/19gQZPe7OF0Ge6++qhzKZ3lvefk056HMwaXbMN27aIPHpPqsO+WbqPF5hTgAE7thBM1QuKARPEwOctJYAwOmenYcKvyG/slk4aDzUyeIG3lbPYiS+0mysMzOhL6kx5Mvt8shqu7rIWcqQT6e4UNHouBJK1mpZFiI9H3/Ys5xhZ1mHzpkvZoXcT21wVz6Ob56PL2fjnjbFsVYDQXgja9EYQnEDYbEovU7WrgRFHoLr4xiRen0Qw724r6jMSlLBZKDoowZkCh+W4kxw+UxZrmqHbtB1PWH6Ss92qtBnSH0Xgf51jQxk607lu0DwSSbNSHLkdAgcqGfWblpLVuw1aM8RxIw+ilz9/DinPtfA9XZSpU7wQmuXCm8zQOt2Jm46Zd3Z6tKZgrvMjvIa1LzkVMBbbC9L+nZ88lr+XeARtK5mJpTJ3nsHrcPsBxT3kj9pkhPxrgBLTU6cdZx52D92vaEV3zS39NISiyf65k+CHelRqL27e0QXkxrZ/yiIDmPfbJwJoIf1CQyt/MpY8v2xyvZwLJCZO/xhdvMmJYpV/2fRoIVBXO2Wg20dU55l9rT5MRHRl9zUnkTdrAIdz3bpAzBeMlVgd/S4o5mzmBHjegKU3bj8V1C0RvHzdw/+PLbEVv0GEta1I0eiFCm38EZCm0d/waQvAWW/xm0LEUnUVk5p6MMdhS2zJxG3808fNXjEDUQJ1jYLmPPNmm9Fdtu+Dg98anoEZYjKi+5qtCiWXz4CRLQy4d3n7+Dn60Z3M+NCSw+i4jte/ROxrpaAOJwLheNYawp4n/jRpUo3I2sRHaKm52R9o3VAAVU/smH584Puter14NP2F04bG8iBm6m/+/ImbjvMAi1D+AvkSkkJwcxajT6bfVYN7Kr2sFe1yV8p0enKPnFFRTHUmm3v7I0G4aH71oM6oVt/4vPkPjaLAoGEHaY85TFQ0WAHCY993l2bJpQWjlCCzR5vxPvxCfg39gJB47IS/OGirZXeNzntqrfwvstpYy41f/oIQM1YHRJeEy1B84zFB3NbzkglPDHP9cEOOnpD9LsA+KhJkzl0F5Zmd/LIp8/XtMgiRwqkzAci0bkAQV7/ODI4PmuEGmHzptnTwJr8SUAOyac+XZy2wcJ3i8wg43IKshNUTYsnQxtKUOiwyx3/za+UGjv3xXCH1vwbWUS9q+0yPb8HVbwc7PU9+V27qDs/2ih8r2Aid+vnPwPPgQXRciEwgJ4/KU4hS7xruGg+bc3RmsijxvsnjWfz7PLXMpZuoljPXg8N11Ci5dfgQsgPTDSHAVO+sFL/EGgoXkMX7syvShr4sAWgDCLD89HBaFGie69h51cP24nJ2qQVv555aOUfVleZBEWKIYFcsyNkVZxaC5Ge/Y8mivlXxJsB9QhVl11S/fCIVom82Bcbp3jAEQzlPXAY8dZjKRsLb+xqIs5Kr0d8pWUC+fQRjSry3tF81t0zeXStKmsLQ5wHare1ALCYynrDB7cwgN+d3VwJv6mhmqJTOJcco7WtY7cKTBdK3PQWBzSqNRsgUYcPVaam2Gq688HVMuzGSpW9Bx94HLSTjRkpsQqZzgWKIEN+xcw9BWEjyZc5/OuYsy86EgX5CJfsRltLSQv4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTodRuHYZ7m9WqbfFTGiHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLEhkUjBs+Kg/zM2E+t0GtNYaVqLBnPt/BGAEdsboScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZibpCRFE3vHLMOat1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH8Hp4Oar+NRZwP9okRV/rusrPFzMH9OHYBh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/cc0c4e2b858daf20

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (343) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
    "C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe
      "C:\Users\Admin\AppData\Local\Temp\4fb989bc0ffe2ad50811ff1784f8bf4e1c1aaaee0001e0c8aeb2f8f83b065a00.exe"
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2800

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\OUBFQI-DECRYPT.txt
          Filesize

          8KB

          MD5

          585f32a1c3e4ba6d3d121364f1fb135f

          SHA1

          2273482eb3d84487b5b2e25e9318afff6026f19a

          SHA256

          503a71e0d772a3cdbc7d1febc49a47b24438a2617f490f5dc0c4a65eb813a533

          SHA512

          250466b2f15c59177ba8be3758796d69849d1bf7157973120b7767791b94942d3418879de619dfb7314f371aae0808b2d9c9796c34e3796cca523677033e7977

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          483e73d4d410e44af1ab38efb46427b3

          SHA1

          3b683d8a18e8acaeb14a6599be8b2c7f30062d37

          SHA256

          314e585ca1e01aa4833fc6ccd4e65205817b0b7d3bdce6419d5a09de431e641d

          SHA512

          b8ce29ed86b3f7e09e6d23daa1fbbafed9de781f48f276c1b7e0f7a4b43eafde8d1be6cbf4c045c58f0dcb022dae3b174f66ca4813b1114c82bb9755b5084609

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          6a8ea1dbd57002bed85791e61d195f27

          SHA1

          8f83e7eb6440bed4b40f695f2c068417ae1f538d

          SHA256

          d41bcfe8aeddb375f2eb08dc2b7d53acef6c2a214a284a0452a1a3a37774eaf0

          SHA512

          6ff1896a9148c5aebf22472ec7de6d4dd1989d11af6568fdf68386489e936409927759b600565271907908db69acc82ded34d0502b057ed65e5ccd269f762674

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab43E5.tmp
          Filesize

          61KB

          MD5

          f3441b8572aae8801c04f3060b550443

          SHA1

          4ef0a35436125d6821831ef36c28ffaf196cda15

          SHA256

          6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

          SHA512

          5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar44C3.tmp
          Filesize

          163KB

          MD5

          9441737383d21192400eca82fda910ec

          SHA1

          725e0d606a4fc9ba44aa8ffde65bed15e65367e4

          SHA256

          bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

          SHA512

          7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

          Download Submit

        • memory/2392-4-0x0000000074850000-0x0000000074F3E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2392-0-0x0000000000BD0000-0x0000000000C2A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2392-1-0x0000000074850000-0x0000000074F3E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2392-2-0x00000000004B0000-0x00000000004C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2392-3-0x0000000000620000-0x0000000000660000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2392-17-0x0000000074850000-0x0000000074F3E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2392-6-0x0000000000620000-0x0000000000660000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2392-5-0x0000000000620000-0x0000000000660000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2616-32-0x0000000000080000-0x00000000000A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2616-868-0x0000000000080000-0x00000000000A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2616-18-0x0000000000080000-0x00000000000A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2616-16-0x0000000000080000-0x00000000000A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2616-12-0x0000000000080000-0x00000000000A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2616-8-0x0000000000080000-0x00000000000A8000-memory.dmp

          Filesize

          160KB

          Download