Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
15-03-2024 21:38
General
-
Target
ransomwares/GandCrab/GandCrab.exe
-
Size
424KB
-
MD5
95557a29de4b70a25ce62a03472be684
-
SHA1
5baabf2869278e60d4c4f236b832bffddd6cf969
-
SHA256
49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200
-
SHA512
79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103
-
SSDEEP
6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txt
Ransom Note
---= GANDCRAB V5.0.3 =---
***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED***********************
*****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS*****
Attention!
All your files, documents, photos, databases and other important files are encrypted and have the extension: .XJUXCGPDEA
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
| 0. Download Tor browser - https://www.torproject.org/
| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/86f7bad98bf1c24
| 4. Follow the instructions on this page
----------------------------------------------------------------------------------------
On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.
ATTENTION!
IN ORDER TO PREVENT DATA DAMAGE:
* DO NOT MODIFY ENCRYPTED FILES
* DO NOT CHANGE DATA BELOW
---BEGIN GANDCRAB KEY---
lAQAAKo24AM5fkyWDdR+JDjgFUVtl1LBxd+FUSGQ4FFx1PbdQ/+Ux6cs3EGk6UGO0mid/0V7A3zKIlMfER9qptPwRY5KcRA9Yi2CSWah3fnfwfOCaNwCWNdUl7SYru5z0/ldNYmUhsNTYt3qxJFowM+jhDyZQqXCnU+ktAGM6Bhm/Ju3AQe3bwrov8pz+pVKrOuePFai6muio/+eTqAitE+1T76BFwZaNGt/2RrORbF7uRJo0JI5FrJqfkJEQa1ZoTw5l/vnShiqN3nUtie4rOdBL5EjrtkYMNk60wmjTcLVRkPd+SAhv1ccwyvVrrKSxHWGXZe33jYjTQYm4g49f+O4Z0srTgpJA/9v51h6TTUmYCTsU+V4sdG6yziUH/nSCfLzi4ysMsn4dgSoknXDWfTpx40RhBhDdgYrIzDDnur04DYfztZGdnP6aLLMa1xuo4LTymAFsrOalx68BGWscovtYrYALRWw7rJiDlLDAuhGy7jww3iIIue6evF/Cgq/ydZ27wQZ0y+XqEe+mNbJKiAwsl9zZgJqym3/70nkr4qNbRQGkXP7F2+l/HAC2y8LbE2DvplMPAqz7sCCyN0/Kd+Fkz3Lyb3X+DQqHVzBWAzSXFnwY7mmoVapibp6soFnEWrq1fh9cQRz9dwiovVob4efTrMgBkwdjBCuuyjxJkTnqBC0j+YxtAcl4djZHeBPh5i4PMYKuInxd/pzSX5uTrx/gu1PAPoQ8DCIP6y2VoC983kW9r+ZCN+LiR/GikoK3uPJIAOKPyq/G+5UNiCr6UtX+eCgexTDXLNh6AqwHj6tVjadb+UKpMK5NgSMyaEtnna4irMQA2f3bczJE9fI/tccAneuS7xdLR7pvbazAebfny0ZQyQUXwKJrjVCjq+KPjpIR/BJ+hrYw45ucVsWqwjPG5qaAl41qYAtPtOychIkp2a+AEX+qVFjxdiU+YFCbSq0uZE7yURTXtMxDZLbdfltOcyKZ8FSfEPZC2ZYHQ0dXyshr0GAhbQiyyAOZVLOkMK9dEKhEkSYDwn1FRMVwxq/4alAFgXJhBL1FvUnYHIFC1OMXsLatxylVDL0OkEu0mYQ9vElwcSMP8GAt/wew318846E7hv2NXdTsM7tqeHIlHga4BMOKHeD3Vs0xEBNvN0Wole3Vo44QNiDNX8cjfRTHljHRukCfhEVnFDIsLQvpr4CzRoAI8LzQhIu9/vXP6f2pbh46oVJmBlmD0US/Xw8Ur88PUEVaMWBiitc0O96f8xISOb9e3eeNVWzG4+TSFFOJ5liidi15HacB3NiIE0okIByXdP8WkhqJBWZ/8afOrocXYwyRcfeForzyJ+9aPUOpHZ1OZrOa8535A8tziNMcojwbKL4iYj09hmnjy8c1DjK9u+2yRNdJTpPuATU8n6/U+qmRCzUXqHpsQ1fl1EEwgdWZMp763vAn5bdO1RWcjAmSXtqE0hLzBBCooyhP/71RgidJXZIrDZjKC0gDM2aX7jTl7oUu/ujw+f+/A0JNjNrGv9E3Ib0mccufVRlFEwtz5I63eVf6lsa6YUKsoFan1kG/MeW0kqPjHJKvw/EviM8+ykpZ8aIeM93KcJ5AovHmpJKTlAQQWaObCCPJXmNkWks+j70oGsVlmC2TddsRNacnmnM5h2jD4VwPqXrLYiMv+peiWTD16k0OvUnEhzrTulqqiWj20pO4V0O3znXU5NxU+Cz4qUO0u2NgpsRDm+aCawZZmEjk0OCxNfh0t9mPOSZ94HF/RbcBuPZSTPIeeFGoHPvXQXRG/zv7Rrb/O35K/m2byIEIXgXMGrdzX4Y7I/BuPYZXxIdpaeysSxqxinlm9KLlgWd5yySWW4eiBfHPcBqypbr7zVmkVihuqg2k5RMqZyAXJf98nOvKuf6LpGdAUD2dAkNUCH8q5UhyCC6+B9ARNvHiM8CvU3LVwbe1oPFaXb5CB14tWQTzDhVW0llGQby5ASGLsZm2UCF8GxicJGcxGx3X+OqqzKiAMlfvFGnJXvpjoi4wVG7SkzvwqrVeG03S8zwirVcMg4FcqaBJNtybiMjCLR8aCBlA4zP7AXkLRFB1/6hcIcXiMcA+3zxpVieSHZx9p1FDNVNNVu+V0EQhFes0mOgav7h2mzwYKfOn52++M/M5Ho68ZPmb3Xnh+Bg8GEIXI8MkrAXWgXjfIt+t1jaKVu9coasMKTj6MouSXXTMJ6UKnqeC7hWFyeb4YPGvTIK3iupmBYSbSjiqq6YrmM=
---END GANDCRAB KEY---
---BEGIN PC DATA---
wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZbToZRtnYb7nlWtbfPTGqHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6OKi/zA2Fut0GopYOFqKBi/t/xGAEdgb8icQ4t24Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFqwNcoBxPInKc+DO5cALafi2Eyg61rLg32xAxKww72ZinpCBFM3vDLNeaq1wMZNHQURkmKCjnb1ifgDX9lmT3f7CydQUtnnLIqlsiw73IGVY3pfjf3fBwceMB8P3BNg39XQ3DC2aZBEuHtLEi+BdBMOZH4HpsOeb/YRZoP4YksV8zuv7OczMv9OXYAh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FxhOVLL2u9gwWmeLQ4zxgtafmr5TWEPiWMEkrI=
---END PC DATA---
URLs
http://gandcrabmfe6mnef.onion/86f7bad98bf1c24
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 37 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XJUXCGPDEA-DECRYPT.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\XJUXCGPDEA-DECRYPT.txtFilesize
8KB
MD5f5330df527b2d88055427525cc5fb9c8
SHA1864ddf9ecf661007d3dec2cfb94fe1b705b1d73d
SHA256591137a96d37712e07ab765d580ed31d781ee84b8a7e78953f18ca1a30c96572
SHA5124dae46a0c35271f2d2a9dd02c040af56dae1e38481510512005688a6cc20d6e09bb5b50ff514573625757f32149348c4445be67b5a3d8c94739084b2bab3c2df
-
memory/1564-1-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1564-706-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1564-714-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2076-0-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB