gandcrab | d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

Analysis

max time kernel
127s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

o.exe
Size

183KB
MD5

07fadb006486953439ce0092651fd7a6
SHA1

e42431d37561cc695de03b85e8e99c9e31321742
SHA256

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0
SHA512

5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437
SSDEEP

3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

Score

10^/10

gandcrab backdoor ransomware spyware stealer

Malware Config

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (250) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	o.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\EUIUR-DECRYPT.html	o.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\8b586ab28b586d5c618.lock	o.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	o.exe
File opened (read-only)	\??\S:	o.exe
File opened (read-only)	\??\U:	o.exe
File opened (read-only)	\??\B:	o.exe
File opened (read-only)	\??\J:	o.exe
File opened (read-only)	\??\L:	o.exe
File opened (read-only)	\??\M:	o.exe
File opened (read-only)	\??\P:	o.exe
File opened (read-only)	\??\V:	o.exe
File opened (read-only)	\??\Z:	o.exe
File opened (read-only)	\??\R:	o.exe
File opened (read-only)	\??\A:	o.exe
File opened (read-only)	\??\E:	o.exe
File opened (read-only)	\??\H:	o.exe
File opened (read-only)	\??\K:	o.exe
File opened (read-only)	\??\N:	o.exe
File opened (read-only)	\??\Y:	o.exe
File opened (read-only)	\??\G:	o.exe
File opened (read-only)	\??\O:	o.exe
File opened (read-only)	\??\T:	o.exe
File opened (read-only)	\??\W:	o.exe
File opened (read-only)	\??\X:	o.exe
File opened (read-only)	\??\I:	o.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	o.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PingSave.bmp	o.exe
File opened for modification	C:\Program Files\PingSave.m4v	o.exe
File opened for modification	C:\Program Files\RemoveRedo.xlsb	o.exe
File opened for modification	C:\Program Files\SkipLock.edrwx	o.exe
File opened for modification	C:\Program Files\UpdateRead.tiff	o.exe
File opened for modification	C:\Program Files\WaitDisable.reg	o.exe
File opened for modification	C:\Program Files\InstallTest.search-ms	o.exe
File opened for modification	C:\Program Files\LockApprove.dotx	o.exe
File created	C:\Program Files\8b586ab28b586d5c618.lock	o.exe
File opened for modification	C:\Program Files\BackupClose.xltx	o.exe
File created	C:\Program Files (x86)\8b586ab28b586d5c618.lock	o.exe
File opened for modification	C:\Program Files\UnregisterExport.3gpp	o.exe
File opened for modification	C:\Program Files\ConvertResize.clr	o.exe
File opened for modification	C:\Program Files\LimitPop.mpeg3	o.exe
File opened for modification	C:\Program Files\SkipNew.vb	o.exe
File opened for modification	C:\Program Files\OpenUndo.m4a	o.exe
File created	C:\Program Files (x86)\EUIUR-DECRYPT.html	o.exe
File created	C:\Program Files\EUIUR-DECRYPT.html	o.exe
File opened for modification	C:\Program Files\ConvertStop.odt	o.exe
File opened for modification	C:\Program Files\NewConfirm.gif	o.exe
File opened for modification	C:\Program Files\TestNew.ini	o.exe
File opened for modification	C:\Program Files\EditHide.jpe	o.exe
File opened for modification	C:\Program Files\ConvertFromClear.m1v	o.exe
File opened for modification	C:\Program Files\EditGroup.zip	o.exe
File opened for modification	C:\Program Files\OptimizeUnblock.kix	o.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	o.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	o.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	o.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3196	o.exe
3196	o.exe
3196	o.exe
3196	o.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4924	wmic.exe
Token: SeSecurityPrivilege	4924	wmic.exe
Token: SeTakeOwnershipPrivilege	4924	wmic.exe
Token: SeLoadDriverPrivilege	4924	wmic.exe
Token: SeSystemProfilePrivilege	4924	wmic.exe
Token: SeSystemtimePrivilege	4924	wmic.exe
Token: SeProfSingleProcessPrivilege	4924	wmic.exe
Token: SeIncBasePriorityPrivilege	4924	wmic.exe
Token: SeCreatePagefilePrivilege	4924	wmic.exe
Token: SeBackupPrivilege	4924	wmic.exe
Token: SeRestorePrivilege	4924	wmic.exe
Token: SeShutdownPrivilege	4924	wmic.exe
Token: SeDebugPrivilege	4924	wmic.exe
Token: SeSystemEnvironmentPrivilege	4924	wmic.exe
Token: SeRemoteShutdownPrivilege	4924	wmic.exe
Token: SeUndockPrivilege	4924	wmic.exe
Token: SeManageVolumePrivilege	4924	wmic.exe
Token: 33	4924	wmic.exe
Token: 34	4924	wmic.exe
Token: 35	4924	wmic.exe
Token: 36	4924	wmic.exe
Token: SeIncreaseQuotaPrivilege	4924	wmic.exe
Token: SeSecurityPrivilege	4924	wmic.exe
Token: SeTakeOwnershipPrivilege	4924	wmic.exe
Token: SeLoadDriverPrivilege	4924	wmic.exe
Token: SeSystemProfilePrivilege	4924	wmic.exe
Token: SeSystemtimePrivilege	4924	wmic.exe
Token: SeProfSingleProcessPrivilege	4924	wmic.exe
Token: SeIncBasePriorityPrivilege	4924	wmic.exe
Token: SeCreatePagefilePrivilege	4924	wmic.exe
Token: SeBackupPrivilege	4924	wmic.exe
Token: SeRestorePrivilege	4924	wmic.exe
Token: SeShutdownPrivilege	4924	wmic.exe
Token: SeDebugPrivilege	4924	wmic.exe
Token: SeSystemEnvironmentPrivilege	4924	wmic.exe
Token: SeRemoteShutdownPrivilege	4924	wmic.exe
Token: SeUndockPrivilege	4924	wmic.exe
Token: SeManageVolumePrivilege	4924	wmic.exe
Token: 33	4924	wmic.exe
Token: 34	4924	wmic.exe
Token: 35	4924	wmic.exe
Token: 36	4924	wmic.exe
Token: SeBackupPrivilege	2696	vssvc.exe
Token: SeRestorePrivilege	2696	vssvc.exe
Token: SeAuditPrivilege	2696	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4924	3196	o.exe	91
PID 3196 wrote to memory of 4924	3196	o.exe	91
PID 3196 wrote to memory of 4924	3196	o.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\o.exe
"C:\Users\Admin\AppData\Local\Temp\o.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\EUIUR-DECRYPT.html

Filesize
64KB

MD5
8a0d2a3d643bfe3f462a1d5ac2252a22

SHA1
4ba5c9de24d9cb9f7f1b8c10754e4baa192d7ba7

SHA256
6ed6fcfd46f4284171b69e25ca5244d52e667626b4688b42097dbc8328a7edb5

SHA512
5883795edfac95ed3c47a87a6b47be946cb738616ff0786b15c0af5671181f986a697509072ba6363a56e4f9a37ff3e91e484971b065519e6872687b42044167

Download Submit