Overview

overview

10

Static

static

10

ransomware...3n.exe

windows7-x64

ransomware...3n.exe

windows10-2004-x64

ransomware...le.exe

windows7-x64

ransomware...le.exe

windows10-2004-x64

ransomware...it.exe

windows7-x64

10

ransomware...it.exe

windows10-2004-x64

10

ransomware...le.exe

windows10-2004-x64

10

ransomware... 5.exe

windows7-x64

10

ransomware... 5.exe

windows10-2004-x64

10

ransomware...de.exe

windows7-x64

10

ransomware...de.exe

windows10-2004-x64

10

ransomware...ck.exe

windows7-x64

7

ransomware...ck.exe

windows10-2004-x64

7

ransomware...ye.exe

windows7-x64

6

ransomware...ye.exe

windows10-2004-x64

6

ransomware...ap.exe

windows7-x64

6

ransomware...ap.exe

windows10-2004-x64

6

ransomware...ya.exe

windows7-x64

1

ransomware...ya.exe

windows10-2004-x64

3

ransomware...om.exe

windows7-x64

10

ransomware...om.exe

windows10-2004-x64

10

ransomware...ab.exe

windows7-x64

10

ransomware...ab.exe

windows10-2004-x64

10

ransomware...ye.exe

windows7-x64

10

ransomware...ye.exe

windows10-2004-x64

10

ransomware...ni.exe

windows7-x64

10

ransomware...ni.exe

windows10-2004-x64

10

ransomware...pt.exe

windows7-x64

10

ransomware...pt.exe

windows10-2004-x64

10

ransomware...ya.exe

windows7-x64

7

ransomware...ya.exe

windows10-2004-x64

7

ransomware...en.exe

windows7-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomwares/GandCrab/GandCrab.exe

  • Size

    424KB

  • MD5

    95557a29de4b70a25ce62a03472be684

  • SHA1

    5baabf2869278e60d4c4f236b832bffddd6cf969

  • SHA256

    49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200

  • SHA512

    79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103

  • SSDEEP

    6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ

Score
10/10
gandcrabbackdoorransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\HIHGZIRRR-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HIHGZIRRR The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/11401109ba5b939 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAALIbt7ITjVfULuaWRhOBORexxRgH68mVsC/Sd5yhRvS0T0GnLT4eUS2+L5SItPKPeVVQWvvVw1lvq4XVpwBhm51mO89CWb2mOZGXFroTUviHfkLtO1RLtJQHNsLFUFkEiFeSGCl7+30EzHerscOTM5vVEazj72daajPVABlUdr4jM/oquNAvO4xBTWwimV0y7iw4v/DNj7hUFECqfNqAZMeLa4KhUhSjG6B7mrZgKkpylmASSRzd0Ap99wIPbSWuVXCz2NCt967lbEDelIHAgeNgTZw+D9hG2NRRxUwSzBg/dVcoaBJajS+H7mY2uWlFeJ+Ljufft1k3KZ/p0lrMnphqB2vChnVn2fBdvPrnARXrUdbdiXmnv5ANGEBavGOE94dHw5xKM1o78PbkNS/Z/1JOgiOmCeGeLWGBO38ho546dq3AI6b8W1O3oSVgG6JYygKLuvNCWIC9mxShfmapVSts6tqq64wh4lcM79nLT1wjRLb9C1Xs+U4z5MDtNTgWusN5KiF3vBa0sZfl59DmOiv0Sastw1hSBbthP19FE2IkMdG1sVa3ulCsicWGkxIDeMsemLWgQhiG63iIgPZDpqJ+DRajXWlQguM7gu6sAwM4Q3FPOGFftmHwjMCnZ/IHflgPzgaeb6ClU/HAh5Xv/TWB3Gd9JzzqmpNZ2EY4lfUZxYjRlIH/mF/a/Ns4AKEj7OTRtvDUtkGMR5IV1BjChqYqK2va7OTJMmYqvMGctUX5DoKdO82FPRBH7zGkbMCLyKEdFK9MjhUJzjYo9c3Ypvb6NkOEIoZ4RpzLB6nkNp/1hLkUbeo2ZSWMzERI57K7FIRwnWrufmoPoLVgTChQMN1ozs47n2WitHp2gei6gIforgW97nu/+fFuHZRsSa7c0QhGvHI55/P6269824NgbA7hsqY8dNN5nzSdEIjXGhZa0TLvgLYDJnj5Ytt4h2C5O0ycyxoHKZvhNmeeL38Dqroeer9aX27FhL1l8jAevtw3guvltDzuf2Ak0vEpks6ZJIgcqFV5V+gQe4Lr8Gyqh54scJZlEvKggH3MTb44eTGpVGETUQGLmVXQMaG7tZXReADOUjmheg+KHR+LqfI/pgoyYD9kCW3K/ew2VTbEz2DDB0PxfSVJSrsKv8okfQ50Vs+GaVh69bIAgwAaOj7uXlqtvIcFU95M2unxlnYe+2AV8c9S9oIL24a++6yCHA5csgslsFds9A9axM0puJ1jLvr41c7yiP2oQkSEdY2Ed50r6tPVMFMlluFI3kdT9fp/8RkoiVJYeFDeRPPX4gGOADvTNxq/4zW6SJnmWLu0gFYSDVJB+ltiBgsyAxIiCndd2C/GKKjxxYq17YlNLMCtUgwpyInToP94XqE3EW5XS9pNC4MWzXNDOKyp35q6ZjNem5RuBPjP6VfbfvC8XSqqnUnA/wGacvNHHseBrL/ysv5pHQN+RlT0U+yF/QJo6Cb4pfhGnJhYrj8o2bLuQsDRxHhxjfewdyh7kWy8BpTpnaCTYDIYK8+BXy/fGA64+wwr9t0ZWS+X2SOtOFN6Yzf/y2oWPybDerbpgO8PFdAc7Ps0Wd5GJArkMxIC2XUit4D7IgTteyo2NmJxpgcjEV+i5KWVaAD6Um32MUsqJUPVF1A995XjtikTaU0VAHu6OOuisTdIqpbBGOjz4pYt05ElOw0CIqzk+LjnNdsEVIMvNewM5VDalkm45G5TcCGp3F92Uyv91mIwOFx/q8R0NJTjqViUn58QutX0CRO2wnqDSRIoG6TjQ/jW5EeuChUysT3RA2cFOnvUvzIoKosc+QKFjIrRo8SJyp3Q4y5dWfRP12NBdZq953D3WZgedgk8qpppOVGTPZtFItmMSypBq3ZBWfxiIa1et0pl1ckXhcJMFSx5ILWhUZ7Owkz9OkkP5/F6kJEhoB+BOWnnYo5hN3ftyIxwvUa1cpT/Ao6lqVDi35Bd3HO8DJfE93dkGElMt1bSL+otSS57Cvpv/Sp29STaKFaC3YvFvAWh8fztDwepL68CLHY6hTtx08pqQvjmPQi4F3cKWGN2ezDePl03UmN/y9EU55ex7hB2Vc23nmK4rBMVA6JgF6tkxwntjdKwXB3/a2/g2h3IkPV6MW8fATZDk7SHIgpBbSEfcE/E9n3gRGp1vMGsjaaYdtCyvdPQsaNUcvRvIO1+4GEk7Shc440169WEYjGkJFCUft7SBFa3i5h7aml9SSGM8I3HEWdHGheAB54aXY4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZETpRRuHYY7npWt7fXTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4rFzkUzB4OKl/2c2EesvGolYPVqGBnXtpBHVEdAbtydK4o24b6bsY7hyY4zV2QKiqZRuTRsqAVO9JIcJoJFowNooAhPLnKY+DO5bAL6fi2Epg65rKw3oxAhKwA7xZijpCRFL3vTLNuav1xoZR3QcRiOKBTm51iTgAH9imUrfmSz2QU5nmbImlsyw6XINVYbpeDfrfB0ceMBkP3JNgn9SQ3nC26ZUErrteEilBYhMaJHjHtkOOb+cRbYP/YkqV67u57PNzND9fnZQh4wzqOwRRaJtAP/XbjrWoOIRXo5eMNQ99BNhaVKZ2udgzWmELVozygtVfjv5QmE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/11401109ba5b939

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (261) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 29 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\System32\wermgr.exe"
      2⤵
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2312
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HIHGZIRRR-DECRYPT.txt
    1⤵
      PID:3032

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    1
    T1490

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      32b8910b7b1320622dfaeb61e6cb642b

      SHA1

      650f51dc8011c8fef06808c45d8df7b240b5a3c6

      SHA256

      02ba7a2b01549418d8b1e26d5b4b876d110085541b2e349f050d59411436b589

      SHA512

      b9c4d911bb7f1346e0749392879a39119b88e56932d24189dad07413181289099daf3c629392485bca5425a9a13e1eefef9934a2dea2fff010ae16907b6e7691

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      e0f022acfc6ae69b81014395a6597123

      SHA1

      09f8e23ca4d63d44d57f0a05206ce60c6d5773bc

      SHA256

      62810f5bd6d918bdcff9c86977b134e40796fefe6e8766f4ce57dd384b707ac2

      SHA512

      e209466a9237bc5553e5ef714ff90851538bb6f3002fe7a8e5f30946d58c74b3ca39618cd13bd9ec80688bd22387352dcd11fd4ecff7ece3f91f124c37d44acb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar9C35.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit
    • F:\$RECYCLE.BIN\HIHGZIRRR-DECRYPT.txt
      Filesize

      8KB

      MD5

      511ff0d4da2a65dea5749e925dcd51ad

      SHA1

      fe779ff567b2318cf159f6aece48d0f46d439a4e

      SHA256

      4cb25d3f98138d2e23b3c0b93e811854533cc61032dd15cdad4b156d3fff4b29

      SHA512

      02e990b34d1fc274ac891363037ad08bcd4c0c302ec51e8de40f2de0aa372af48687022858e11270d1b897b61d1843473a64d7ba19f0809ae82553574e148feb

      Download Submit
    • memory/1812-691-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2180-0-0x0000000000400000-0x000000000046A000-memory.dmp
      Filesize

      424KB

      Download