gandcrab | 2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransomwares/GandCrab/GandCrab.exe
Size

424KB
MD5

95557a29de4b70a25ce62a03472be684
SHA1

5baabf2869278e60d4c4f236b832bffddd6cf969
SHA256

49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200
SHA512

79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103
SSDEEP

6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .XJUXCGPDEA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/86f7bad98bf1c24 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKo24AM5fkyWDdR+JDjgFUVtl1LBxd+FUSGQ4FFx1PbdQ/+Ux6cs3EGk6UGO0mid/0V7A3zKIlMfER9qptPwRY5KcRA9Yi2CSWah3fnfwfOCaNwCWNdUl7SYru5z0/ldNYmUhsNTYt3qxJFowM+jhDyZQqXCnU+ktAGM6Bhm/Ju3AQe3bwrov8pz+pVKrOuePFai6muio/+eTqAitE+1T76BFwZaNGt/2RrORbF7uRJo0JI5FrJqfkJEQa1ZoTw5l/vnShiqN3nUtie4rOdBL5EjrtkYMNk60wmjTcLVRkPd+SAhv1ccwyvVrrKSxHWGXZe33jYjTQYm4g49f+O4Z0srTgpJA/9v51h6TTUmYCTsU+V4sdG6yziUH/nSCfLzi4ysMsn4dgSoknXDWfTpx40RhBhDdgYrIzDDnur04DYfztZGdnP6aLLMa1xuo4LTymAFsrOalx68BGWscovtYrYALRWw7rJiDlLDAuhGy7jww3iIIue6evF/Cgq/ydZ27wQZ0y+XqEe+mNbJKiAwsl9zZgJqym3/70nkr4qNbRQGkXP7F2+l/HAC2y8LbE2DvplMPAqz7sCCyN0/Kd+Fkz3Lyb3X+DQqHVzBWAzSXFnwY7mmoVapibp6soFnEWrq1fh9cQRz9dwiovVob4efTrMgBkwdjBCuuyjxJkTnqBC0j+YxtAcl4djZHeBPh5i4PMYKuInxd/pzSX5uTrx/gu1PAPoQ8DCIP6y2VoC983kW9r+ZCN+LiR/GikoK3uPJIAOKPyq/G+5UNiCr6UtX+eCgexTDXLNh6AqwHj6tVjadb+UKpMK5NgSMyaEtnna4irMQA2f3bczJE9fI/tccAneuS7xdLR7pvbazAebfny0ZQyQUXwKJrjVCjq+KPjpIR/BJ+hrYw45ucVsWqwjPG5qaAl41qYAtPtOychIkp2a+AEX+qVFjxdiU+YFCbSq0uZE7yURTXtMxDZLbdfltOcyKZ8FSfEPZC2ZYHQ0dXyshr0GAhbQiyyAOZVLOkMK9dEKhEkSYDwn1FRMVwxq/4alAFgXJhBL1FvUnYHIFC1OMXsLatxylVDL0OkEu0mYQ9vElwcSMP8GAt/wew318846E7hv2NXdTsM7tqeHIlHga4BMOKHeD3Vs0xEBNvN0Wole3Vo44QNiDNX8cjfRTHljHRukCfhEVnFDIsLQvpr4CzRoAI8LzQhIu9/vXP6f2pbh46oVJmBlmD0US/Xw8Ur88PUEVaMWBiitc0O96f8xISOb9e3eeNVWzG4+TSFFOJ5liidi15HacB3NiIE0okIByXdP8WkhqJBWZ/8afOrocXYwyRcfeForzyJ+9aPUOpHZ1OZrOa8535A8tziNMcojwbKL4iYj09hmnjy8c1DjK9u+2yRNdJTpPuATU8n6/U+qmRCzUXqHpsQ1fl1EEwgdWZMp763vAn5bdO1RWcjAmSXtqE0hLzBBCooyhP/71RgidJXZIrDZjKC0gDM2aX7jTl7oUu/ujw+f+/A0JNjNrGv9E3Ib0mccufVRlFEwtz5I63eVf6lsa6YUKsoFan1kG/MeW0kqPjHJKvw/EviM8+ykpZ8aIeM93KcJ5AovHmpJKTlAQQWaObCCPJXmNkWks+j70oGsVlmC2TddsRNacnmnM5h2jD4VwPqXrLYiMv+peiWTD16k0OvUnEhzrTulqqiWj20pO4V0O3znXU5NxU+Cz4qUO0u2NgpsRDm+aCawZZmEjk0OCxNfh0t9mPOSZ94HF/RbcBuPZSTPIeeFGoHPvXQXRG/zv7Rrb/O35K/m2byIEIXgXMGrdzX4Y7I/BuPYZXxIdpaeysSxqxinlm9KLlgWd5yySWW4eiBfHPcBqypbr7zVmkVihuqg2k5RMqZyAXJf98nOvKuf6LpGdAUD2dAkNUCH8q5UhyCC6+B9ARNvHiM8CvU3LVwbe1oPFaXb5CB14tWQTzDhVW0llGQby5ASGLsZm2UCF8GxicJGcxGx3X+OqqzKiAMlfvFGnJXvpjoi4wVG7SkzvwqrVeG03S8zwirVcMg4FcqaBJNtybiMjCLR8aCBlA4zP7AXkLRFB1/6hcIcXiMcA+3zxpVieSHZx9p1FDNVNNVu+V0EQhFes0mOgav7h2mzwYKfOn52++M/M5Ho68ZPmb3Xnh+Bg8GEIXI8MkrAXWgXjfIt+t1jaKVu9coasMKTj6MouSXXTMJ6UKnqeC7hWFyeb4YPGvTIK3iupmBYSbSjiqq6YrmM= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZbToZRtnYb7nlWtbfPTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKi/zA2Fut0GopYOFqKBi/t/xGAEdgb8icQ4t24Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFM3vDLNeaq1wMZNHQURkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOeb/YRZoP4YksV8zuv7OczMv9OXYAh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/86f7bad98bf1c24

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\XJUXCGPDEA-DECRYPT.txt	wermgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\98bf1bc998bf1c2127.lock	wermgr.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	wermgr.exe
File opened (read-only)	\??\I:	wermgr.exe
File opened (read-only)	\??\Q:	wermgr.exe
File opened (read-only)	\??\W:	wermgr.exe
File opened (read-only)	\??\U:	wermgr.exe
File opened (read-only)	\??\G:	wermgr.exe
File opened (read-only)	\??\J:	wermgr.exe
File opened (read-only)	\??\K:	wermgr.exe
File opened (read-only)	\??\S:	wermgr.exe
File opened (read-only)	\??\T:	wermgr.exe
File opened (read-only)	\??\X:	wermgr.exe
File opened (read-only)	\??\Y:	wermgr.exe
File opened (read-only)	\??\Z:	wermgr.exe
File opened (read-only)	\??\A:	wermgr.exe
File opened (read-only)	\??\H:	wermgr.exe
File opened (read-only)	\??\N:	wermgr.exe
File opened (read-only)	\??\P:	wermgr.exe
File opened (read-only)	\??\R:	wermgr.exe
File opened (read-only)	\??\V:	wermgr.exe
File opened (read-only)	\??\B:	wermgr.exe
File opened (read-only)	\??\L:	wermgr.exe
File opened (read-only)	\??\M:	wermgr.exe
File opened (read-only)	\??\O:	wermgr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	wermgr.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files\XJUXCGPDEA-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\DisconnectUndo.asp	wermgr.exe
File opened for modification	C:\Program Files\DismountRegister.rmi	wermgr.exe
File opened for modification	C:\Program Files\PushResize.xht	wermgr.exe
File opened for modification	C:\Program Files\SearchJoin.mht	wermgr.exe
File opened for modification	C:\Program Files\WatchShow.xps	wermgr.exe
File created	C:\Program Files\98bf1bc998bf1c2127.lock	wermgr.exe
File opened for modification	C:\Program Files\BackupSet.vsdm	wermgr.exe
File opened for modification	C:\Program Files\EnterEnable.mpeg	wermgr.exe
File opened for modification	C:\Program Files\LockReset.wmf	wermgr.exe
File opened for modification	C:\Program Files\MountConfirm.vdx	wermgr.exe
File opened for modification	C:\Program Files\StopReset.ps1	wermgr.exe
File opened for modification	C:\Program Files\CompareUpdate.fon	wermgr.exe
File opened for modification	C:\Program Files\InitializeRead.mp2v	wermgr.exe
File opened for modification	C:\Program Files\MoveSet.mpv2	wermgr.exe
File opened for modification	C:\Program Files\ReceiveMount.M2V	wermgr.exe
File opened for modification	C:\Program Files\AssertMeasure.WTV	wermgr.exe
File opened for modification	C:\Program Files\StartUnpublish.wmf	wermgr.exe
File opened for modification	C:\Program Files\UnprotectReceive.pptx	wermgr.exe
File opened for modification	C:\Program Files\WatchClose.mhtml	wermgr.exe
File opened for modification	C:\Program Files\FindRedo.tif	wermgr.exe
File created	C:\Program Files (x86)\98bf1bc998bf1c2127.lock	wermgr.exe
File opened for modification	C:\Program Files\ConvertFromShow.midi	wermgr.exe
File opened for modification	C:\Program Files\GetStop.ini	wermgr.exe
File opened for modification	C:\Program Files\HideRevoke.tiff	wermgr.exe
File opened for modification	C:\Program Files\StepTest.mpeg	wermgr.exe
File opened for modification	C:\Program Files\UpdateEnter.ppt	wermgr.exe
File created	C:\Program Files (x86)\XJUXCGPDEA-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\ConfirmFind.MTS	wermgr.exe
File opened for modification	C:\Program Files\CopyGroup.jpg	wermgr.exe
File opened for modification	C:\Program Files\GetInstall.ppsm	wermgr.exe
File opened for modification	C:\Program Files\ImportInstall.ttf	wermgr.exe
File opened for modification	C:\Program Files\ProtectShow.dotx	wermgr.exe
File opened for modification	C:\Program Files\RepairUnlock.asx	wermgr.exe
File opened for modification	C:\Program Files\UnlockProtect.wdp	wermgr.exe
File opened for modification	C:\Program Files\PublishSubmit.xls	wermgr.exe
File opened for modification	C:\Program Files\TraceUndo.ex_	wermgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1564	wermgr.exe
1564	wermgr.exe
1564	wermgr.exe
1564	wermgr.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeIncreaseQuotaPrivilege	3764	wmic.exe
Token: SeSecurityPrivilege	3764	wmic.exe
Token: SeTakeOwnershipPrivilege	3764	wmic.exe
Token: SeLoadDriverPrivilege	3764	wmic.exe
Token: SeSystemProfilePrivilege	3764	wmic.exe
Token: SeSystemtimePrivilege	3764	wmic.exe
Token: SeProfSingleProcessPrivilege	3764	wmic.exe
Token: SeIncBasePriorityPrivilege	3764	wmic.exe
Token: SeCreatePagefilePrivilege	3764	wmic.exe
Token: SeBackupPrivilege	3764	wmic.exe
Token: SeRestorePrivilege	3764	wmic.exe
Token: SeShutdownPrivilege	3764	wmic.exe
Token: SeDebugPrivilege	3764	wmic.exe
Token: SeSystemEnvironmentPrivilege	3764	wmic.exe
Token: SeRemoteShutdownPrivilege	3764	wmic.exe
Token: SeUndockPrivilege	3764	wmic.exe
Token: SeManageVolumePrivilege	3764	wmic.exe
Token: 33	3764	wmic.exe
Token: 34	3764	wmic.exe
Token: 35	3764	wmic.exe
Token: 36	3764	wmic.exe
Token: SeBackupPrivilege	4820	vssvc.exe
Token: SeRestorePrivilege	4820	vssvc.exe
Token: SeAuditPrivilege	4820	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 2076 wrote to memory of 1564	2076	GandCrab.exe	92
PID 1564 wrote to memory of 3764	1564	wermgr.exe	101
PID 1564 wrote to memory of 3764	1564	wermgr.exe	101
PID 1564 wrote to memory of 3764	1564	wermgr.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe
"C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\System32\wermgr.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XJUXCGPDEA-DECRYPT.txt
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txt

Filesize
8KB

MD5
f5330df527b2d88055427525cc5fb9c8

SHA1
864ddf9ecf661007d3dec2cfb94fe1b705b1d73d

SHA256
591137a96d37712e07ab765d580ed31d781ee84b8a7e78953f18ca1a30c96572

SHA512
4dae46a0c35271f2d2a9dd02c040af56dae1e38481510512005688a6cc20d6e09bb5b50ff514573625757f32149348c4445be67b5a3d8c94739084b2bab3c2df

Download Submit
memory/1564-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-706-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-714-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2076-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download