Overview

overview

10

Static

static

3

o.exe

windows7-x64

10

o.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    70s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2023 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    o.exe

  • Size

    183KB

  • MD5

    07fadb006486953439ce0092651fd7a6

  • SHA1

    e42431d37561cc695de03b85e8e99c9e31321742

  • SHA256

    d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

  • SHA512

    5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437

  • SSDEEP

    3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

Score
10/10
gandcrabbackdoorransomwarespywarestealer

Malware Config

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (260) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\o.exe
    "C:\Users\Admin\AppData\Local\Temp\o.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1188
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\TITHI-DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3849525425-30183055-657688904-1000\TITHI-DECRYPT.html
    Filesize

    64KB

    MD5

    258e1695fdcdd6d62764d4f9bde191ba

    SHA1

    f1559ad79473ebca6b324ab0e7261506886394ff

    SHA256

    a6fbe22cb2216835b2d3312fcbbda23003cbf5b61f4267f0cfb0a96907d1ae9d

    SHA512

    0df29641631db0cdccf8cbcb395dd9267555781f8e661072ef6de5a280051cf4b55d7d38f45244b5c389980c03a6e6fe870258224549bd52efbcb124fec12fbd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ddb54415c4c5fc38aceac11d745b455d

    SHA1

    878709fca0369c35551376727e7ecda30bd148b8

    SHA256

    252cc873796f55c89acc91f8d0a24143efd18f53cc3faff109c48d8fae238147

    SHA512

    d5425afa16373fcf2b17459f8241d7c68cb6c3504ba6855a4794f9cfda22c8d8724d38eba635397e370d82b68d4d2818596f8fdc1570f9468902b146b278e8bc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2694d57165e276c767d071e00758f180

    SHA1

    94b133a304a5a336ca65042d7418aef86fa998f7

    SHA256

    59c9a00d120f679915e7f77d38ec883dff5b97504a97a7018e26abc2e02051cf

    SHA512

    fc55b59256a7870fd09be0580a6400b317d1754943313aa8b0176a0f27b997dcf7ee78871aa155c43f7754215cf31c1be04e060d513c8780551712d50de906c3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bcae0ac6831cd293b34dc983ac4954ff

    SHA1

    8c9caa310e223cbe99f79f0611da0fa5e908185f

    SHA256

    9480043fb7a4164817b6635bf4635657bf139ac756998bf324b15c8c9b76fbc5

    SHA512

    fc2bf3d90c9e0c43930563e7301dd24df2d409a2596bf84ca2fed21e856d3e92f965af43641c9065ffa1b4179af647522ed13c33c732e9aae6668a0df818989e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bf34f14b485a83fd76a0f47a4ec82f7c

    SHA1

    c3f082e28675e7a6f680f4d63a09c03416f9c29a

    SHA256

    45eee3daa22702c138b9504a62f7ae4f36d8eec9efb30ce7efc073ae8a8c5169

    SHA512

    d777ed88f8c788c9b6ff5116a8ece31b6a7aa6610a3e6599f9109bd066126a7010b7214b123545a35508d23f1991b46ebd171f26ff03a7042b02ce7aace35321

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3cda9ffeae2801e6a8d25a6fc00660d5

    SHA1

    dcfc423afea41b51e508077c8d7c7a58d9ac70ec

    SHA256

    f9fc5cb201d47818305b1f2e7bc02cad83c7b73651889f8cf16854d72d7851a7

    SHA512

    b0ca3d7b8f1c8cdd7bff8c3b96d52ec3fc79f123fdb8b327527e2b1852a103af37e273d4a01a33a59c06d8063f40d40b48d52bc7b5472c59c86ff3e1838a0393

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    00313c9bc509c2b947764247431b4b5a

    SHA1

    66a5d34c5f83a1ee05a03d7babdb1e5b8c3dcf76

    SHA256

    0ae15fa43a6e2d084ead0242164c4b35ff4c460b4da62541742eb563f6654284

    SHA512

    507e4857fee1b80ddd01145228a407e4725f0e18b86754d47659f387bbeef545e588a9fd8658d2d92e9e5ec31b354ecead3521d8be8b0f3a7ce587f4261e1e96

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6f6e041e05d6a4768042a0a300b96d69

    SHA1

    ac6f5cb113bcbd90506b4f8b5088ee38b8289ab9

    SHA256

    d03aee1feba61c7468d39b27ab0d16175d69f40c12927f3a82cc272c2b6cabaf

    SHA512

    7d4ffaf819e1a6aaeb41125733b1137d17aee5b59515690148ce4beee885a799ef0690a7deda19add29c538430fdcfd16a7360bb7a33d8dd8cf9a49d870ca6d8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    05855052c3146c9564edfc481e701d21

    SHA1

    9fe1272da012b81f2f8c84b88cda3c0854defa8f

    SHA256

    9e3b4f3f0edf90f52f210b2e2a0b7a67aabda663c673919558076813d83831b3

    SHA512

    3e38f57e134ec37a26a6d3555ea2da687eb9b175cdde60038f8ba40a382593a00fb6264f1174924671c9e384e2a4377382f648fc7a9aabee9abeceefd381bd15

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0fe2f5f06b769a775f529c050f9a0875

    SHA1

    ec8298cac172299cc1993b51cefbf2f0b5b9c851

    SHA256

    b7a02a53f0417cb5d07edb176f6e1eaad7b5cece7ab87f84bd67e2c42da32cbb

    SHA512

    b9807383c7e8a8c62abfa7d917b7aeb659264ac3bcf8696a95264f74cd2497dfc31652c67357ef074025eaad7cb5e4812a3312b3d3bc6a94414c129ad9239b52

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3a238e0a0b3776c7618b6c42b383d6b5

    SHA1

    7da1a2b1dd4c40ff495a31ffff051fc6f38ea2b4

    SHA256

    6e154e0b85b334756e442ee4aa1182aff4c835e260bd1c6006759fb4337ef137

    SHA512

    5eb7b824c575909779f73729d8abe99407ff10945524d12b1793e39d57079991fc4433007e0fa0b06f27ed013cfacef4b204a1b0a0bcdaaab70e41806b42bc3c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    588989380d30887f888ad5d4d564b82e

    SHA1

    bad11793c43f6b9587115130720a63dc139b4582

    SHA256

    cfaedcce4084ae399009c9e47a62ff08914316c8801cbadf7e94bd0f5366e01e

    SHA512

    1ac27a9dda8cfac2e0ae0b1d2cbe5395f6d91fa123b3a412e21218d79df4fa1a5a0ab2d0e9bb8ba3c17c4efa10845f671ef6fa7d0214fe3e4fd9ec95c2e2a5f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab38DE.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar394E.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\TITHI-DECRYPT.html
    Filesize

    64KB

    MD5

    258e1695fdcdd6d62764d4f9bde191ba

    SHA1

    f1559ad79473ebca6b324ab0e7261506886394ff

    SHA256

    a6fbe22cb2216835b2d3312fcbbda23003cbf5b61f4267f0cfb0a96907d1ae9d

    SHA512

    0df29641631db0cdccf8cbcb395dd9267555781f8e661072ef6de5a280051cf4b55d7d38f45244b5c389980c03a6e6fe870258224549bd52efbcb124fec12fbd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\TITHI-DECRYPT.html
    Filesize

    64KB

    MD5

    258e1695fdcdd6d62764d4f9bde191ba

    SHA1

    f1559ad79473ebca6b324ab0e7261506886394ff

    SHA256

    a6fbe22cb2216835b2d3312fcbbda23003cbf5b61f4267f0cfb0a96907d1ae9d

    SHA512

    0df29641631db0cdccf8cbcb395dd9267555781f8e661072ef6de5a280051cf4b55d7d38f45244b5c389980c03a6e6fe870258224549bd52efbcb124fec12fbd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\TITHI-DECRYPT.html
    Filesize

    64KB

    MD5

    258e1695fdcdd6d62764d4f9bde191ba

    SHA1

    f1559ad79473ebca6b324ab0e7261506886394ff

    SHA256

    a6fbe22cb2216835b2d3312fcbbda23003cbf5b61f4267f0cfb0a96907d1ae9d

    SHA512

    0df29641631db0cdccf8cbcb395dd9267555781f8e661072ef6de5a280051cf4b55d7d38f45244b5c389980c03a6e6fe870258224549bd52efbcb124fec12fbd

    Download Submit

  • C:\Users\Admin\Desktop\TITHI-DECRYPT.html
    Filesize

    64KB

    MD5

    258e1695fdcdd6d62764d4f9bde191ba

    SHA1

    f1559ad79473ebca6b324ab0e7261506886394ff

    SHA256

    a6fbe22cb2216835b2d3312fcbbda23003cbf5b61f4267f0cfb0a96907d1ae9d

    SHA512

    0df29641631db0cdccf8cbcb395dd9267555781f8e661072ef6de5a280051cf4b55d7d38f45244b5c389980c03a6e6fe870258224549bd52efbcb124fec12fbd

    Download Submit