gandcrab | 2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransomwares/GandCrab/GandCrab.exe
Size

424KB
MD5

95557a29de4b70a25ce62a03472be684
SHA1

5baabf2869278e60d4c4f236b832bffddd6cf969
SHA256

49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200
SHA512

79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103
SSDEEP

6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ

Score

10^/10

gandcrab backdoor ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\VUIAI-DECRYPT.txt

Ransom Note

---= GANDCRAB V5.0.3 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE WILL BE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .VUIAI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/900a25aad39aa378 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGO7nVCYlwX+c3TQsxCqIh1z7ub0iOsahv6O1OJHahtyDclVInSJN2rtJHhT0ML3aI+xwcWmuGetKmETI5sAl8aWIqB/nJTM6Y883MjOC028qsCduFyS4iCDO/B4IfVFX0eN+ne8b0FWVoyiAd9PKzdngv73/YZ+AZxbACv7t8qcJ0I4HnQNap2xYqkETms35+PSI0+m01djVfF1FUzcCJZiX45NW3OF7L4YCHLUT4sblOSZL/YpGYBaSs1+yuf82bcZkFMaT1Dzc1t4S7jJ8EccVOCM1QYAM1VIy/VbW+8Z0sRuflw3Lf9vq2ULNeWV8r54wUh98TfQBXOpdSdJWxW6M1Ovik/C2doxp5WdPMKZz3J4hQAblTiu/ysIcqFL35PQCL1BARmWFEfijFDhzJZbN2ZhlYHbG0sCiLH+bVCzogdZAwF3eXFcslCQb6yxSmiNBpoST82qLZZiEoXkYVzuI+QLbtzMY9rcSXoUY2LeoyBAHC+xVJ49OPH0A/q9Cp6j9+MDV/SmUb2a3aNgX57J93CER1lMqG5yhBLHyumzfI1mhm0rOXywiDJ/XWnyid/LVLZqlUeVDNm1b7WOf3IgdzYF4zgbrNCAXRO/gH6us1Uc14BHHkYDf+Wd8ee21oUltAyXyvBXioIV54ruuiZpFRBxVxQlU7Qtleu3QLaey+kuIEJTGj6SegqtGfKHexAxcgM3PBJoV8YQhewKa1fwVSVUhMRMiSOUimUeB8xAnHrCvCg3msnrQJihLGnKtKJZbTEZd9/hde6XYZJn3Gzh5abcQM3vYRVjZtofBqIqpbvIA99Xa1qoH9KGmdeh5CJtYs7eCddCfBRzWDM8lc0chhikpGIAdkBb/UxT5FT/ngYIROalH6D0l927iL6/jnOdog9ni0WDr7IwDztpi9ezQTowAxuYejpVVniKhio+eo5VQ8bVFcbNQNKxGwv4LtF/GqB7N+DP961th5prf3YN7Vncgp56G5V24lFU59s/hKKETMF4bt3aPx9QLQVl0v+pOnou4JmETam2YWFkItfd2uLkZKCvpWlXDdK9EVq0SNxJG73pZDbKkEsHeCPv0Lq3g/XD54oxtVGp2GxoCrGeTOqYny0fAw6uvSkwdjLvxMtY08BpkanAk87d25ufFLXf3hDQeYrbHosTBRR9BvWSjlRYuxbDyUZ6fOnuwKdXNKHc7mHGXOhSpx7UHvsn2PPOvDgLWsmlGuq9qnubT+M0jIgrrbgTW8vS8VQOGOTcZuPPXtT8gQ/Yeie43P4k20micQ1C9UzV7e6TSfkP+uL179xibwDywz95r2LL8ZK8Wjve+PFBReSBuDyBUBAE+eaiH8kB/OUlQ/ebkSdQbHplC9/9KN5Op3so5U8Khbe335i1te8GB6GcIUoQ51BQy+qZ3PILq4jjijCVVLW4feqDkoP48+3Un8dVuv/RpwMxE8r0vnmvZnQE9u90laj0XngZuJBOXJPB6d8eggXTD4Ep7VDO1qUKKtwM73KVm/q4hIcCHEkxe89KFTuckBElEycXbAobzgVH/9O9rvsrRlbEE6I9QyUiKGb2lgXyR1j/IbQd8Zszx/NX58JhJQrSgtY8WK1q0hgjvEGvp4iT3Xh76KKeYg3+Z0RE9pkx/NYm5jMpNrP+hSVMi+AXF39KX4QVCuQ4E+uLMeNJFWFi4qtUAkaKIc4Og7PyhEayKDHZwaE7zJPb7yniavVgMYCbxIAP/ul8tFbXrzdnPiwNYFdnk9qepiV+4GU20pDxCEjAy4Y+sjCaEcc2mLJRUtleJzdNeWCnCw6lmTMbgfq2gQekKYdzixLaPMjpPw21qMd6EybxWSJpoTMUe9Gcu6dBStHN1LtYqcX0Y4wfPJTrg50Es9iwaNKvxegUDfxFra8VPqSar6v9kgm4h8ylhidaw2UIxAFANXkJBWGJLVARdTSjxa5GICIllgB2fLfVzDt7hcZpnVAK/nmDbPtznytN3w0ndbfxtvENaGEq9cY/XJKE1tKCfJyHe5DxvSCBNw44Iy2k+2dTxkKrdZpBlyQ0kbB8ryFhNiLjbC9hJmgf4sodDWzn+koOAFJCiObAaa12gTnWox45S49/dABZAoLQrOnbWnC5pn6pvZZkqPNLDZA8gXobkZJKBHVUGAU0tgM1NXCRErAvkmQQMFLCSVhcBHQvLosp5DvADnw41I4aa1q97gu2UcriM7zTlN2xXXu8QKA2HPYZAAShjph46EGxz5SSPmI= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZQTpZRqXYU7npWqLfaTHWHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB6eKk/2Y2QOskGt5YPVrSBnPtrhHfEYgb8CcR4t64M6b3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vTLNOah1wIZNHQXRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfb/LRc8P54k7V/HuibORzJL9NXYEh8sz/ewORahtHP+ZbmbW4eJPXp1eNtQ19EJhJFLe2qhgw2mJLRMzwAtbfjn5E2ENiW4EkrJfTw== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/900a25aad39aa378

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (260) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\VUIAI-DECRYPT.txt	wermgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\d39aa495d39aa37d27.lock	wermgr.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	wermgr.exe
File opened (read-only)	\??\R:	wermgr.exe
File opened (read-only)	\??\V:	wermgr.exe
File opened (read-only)	\??\X:	wermgr.exe
File opened (read-only)	\??\P:	wermgr.exe
File opened (read-only)	\??\G:	wermgr.exe
File opened (read-only)	\??\I:	wermgr.exe
File opened (read-only)	\??\L:	wermgr.exe
File opened (read-only)	\??\O:	wermgr.exe
File opened (read-only)	\??\W:	wermgr.exe
File opened (read-only)	\??\E:	wermgr.exe
File opened (read-only)	\??\T:	wermgr.exe
File opened (read-only)	\??\U:	wermgr.exe
File opened (read-only)	\??\Z:	wermgr.exe
File opened (read-only)	\??\M:	wermgr.exe
File opened (read-only)	\??\B:	wermgr.exe
File opened (read-only)	\??\H:	wermgr.exe
File opened (read-only)	\??\J:	wermgr.exe
File opened (read-only)	\??\K:	wermgr.exe
File opened (read-only)	\??\N:	wermgr.exe
File opened (read-only)	\??\S:	wermgr.exe
File opened (read-only)	\??\Y:	wermgr.exe
File opened (read-only)	\??\A:	wermgr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	wermgr.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d39aa495d39aa37d27.lock	wermgr.exe
File created	C:\Program Files\d39aa495d39aa37d27.lock	wermgr.exe
File opened for modification	C:\Program Files\BlockReset.wps	wermgr.exe
File opened for modification	C:\Program Files\ResumeTest.xlsm	wermgr.exe
File opened for modification	C:\Program Files\WatchCompare.ttc	wermgr.exe
File opened for modification	C:\Program Files\ProtectGrant.dib	wermgr.exe
File opened for modification	C:\Program Files\ReadInstall.aiff	wermgr.exe
File opened for modification	C:\Program Files\StepResolve.potm	wermgr.exe
File opened for modification	C:\Program Files\StepSuspend.wmv	wermgr.exe
File created	C:\Program Files\VUIAI-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\DenyExit.vdw	wermgr.exe
File opened for modification	C:\Program Files\GrantUnblock.xlt	wermgr.exe
File opened for modification	C:\Program Files\OutConnect.htm	wermgr.exe
File created	C:\Program Files (x86)\VUIAI-DECRYPT.txt	wermgr.exe
File opened for modification	C:\Program Files\ClearCompress.xlsx	wermgr.exe
File opened for modification	C:\Program Files\GetSearch.wmf	wermgr.exe
File opened for modification	C:\Program Files\OptimizeConvertFrom.gif	wermgr.exe
File opened for modification	C:\Program Files\SelectUnpublish.iso	wermgr.exe
File opened for modification	C:\Program Files\ConvertReceive.midi	wermgr.exe
File opened for modification	C:\Program Files\ProtectSkip.vstx	wermgr.exe
File opened for modification	C:\Program Files\StepSuspend.docm	wermgr.exe
File opened for modification	C:\Program Files\UnblockSubmit.midi	wermgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4688	wermgr.exe
4688	wermgr.exe
4688	wermgr.exe
4688	wermgr.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4780	wmic.exe
Token: SeSecurityPrivilege	4780	wmic.exe
Token: SeTakeOwnershipPrivilege	4780	wmic.exe
Token: SeLoadDriverPrivilege	4780	wmic.exe
Token: SeSystemProfilePrivilege	4780	wmic.exe
Token: SeSystemtimePrivilege	4780	wmic.exe
Token: SeProfSingleProcessPrivilege	4780	wmic.exe
Token: SeIncBasePriorityPrivilege	4780	wmic.exe
Token: SeCreatePagefilePrivilege	4780	wmic.exe
Token: SeBackupPrivilege	4780	wmic.exe
Token: SeRestorePrivilege	4780	wmic.exe
Token: SeShutdownPrivilege	4780	wmic.exe
Token: SeDebugPrivilege	4780	wmic.exe
Token: SeSystemEnvironmentPrivilege	4780	wmic.exe
Token: SeRemoteShutdownPrivilege	4780	wmic.exe
Token: SeUndockPrivilege	4780	wmic.exe
Token: SeManageVolumePrivilege	4780	wmic.exe
Token: 33	4780	wmic.exe
Token: 34	4780	wmic.exe
Token: 35	4780	wmic.exe
Token: 36	4780	wmic.exe
Token: SeIncreaseQuotaPrivilege	4780	wmic.exe
Token: SeSecurityPrivilege	4780	wmic.exe
Token: SeTakeOwnershipPrivilege	4780	wmic.exe
Token: SeLoadDriverPrivilege	4780	wmic.exe
Token: SeSystemProfilePrivilege	4780	wmic.exe
Token: SeSystemtimePrivilege	4780	wmic.exe
Token: SeProfSingleProcessPrivilege	4780	wmic.exe
Token: SeIncBasePriorityPrivilege	4780	wmic.exe
Token: SeCreatePagefilePrivilege	4780	wmic.exe
Token: SeBackupPrivilege	4780	wmic.exe
Token: SeRestorePrivilege	4780	wmic.exe
Token: SeShutdownPrivilege	4780	wmic.exe
Token: SeDebugPrivilege	4780	wmic.exe
Token: SeSystemEnvironmentPrivilege	4780	wmic.exe
Token: SeRemoteShutdownPrivilege	4780	wmic.exe
Token: SeUndockPrivilege	4780	wmic.exe
Token: SeManageVolumePrivilege	4780	wmic.exe
Token: 33	4780	wmic.exe
Token: 34	4780	wmic.exe
Token: 35	4780	wmic.exe
Token: 36	4780	wmic.exe
Token: SeBackupPrivilege	2972	vssvc.exe
Token: SeRestorePrivilege	2972	vssvc.exe
Token: SeAuditPrivilege	2972	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 4688	1696	GandCrab.exe	84
PID 1696 wrote to memory of 4688	1696	GandCrab.exe	84
PID 1696 wrote to memory of 4688	1696	GandCrab.exe	84
PID 1696 wrote to memory of 4688	1696	GandCrab.exe	84
PID 1696 wrote to memory of 4688	1696	GandCrab.exe	84
PID 4688 wrote to memory of 4780	4688	wermgr.exe	91
PID 4688 wrote to memory of 4780	4688	wermgr.exe	91
PID 4688 wrote to memory of 4780	4688	wermgr.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe
"C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\System32\wermgr.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1497073144-2389943819-3385106915-1000\VUIAI-DECRYPT.txt

Filesize
8KB

MD5
65c1cb4d0292a0cd09b199064c73bbed

SHA1
4263c8f7e832e97893f784b4b49b4d1c3974c552

SHA256
abca041ce6af6a65874b19201bb5a3edacb7715132596f4367873ff08099d506

SHA512
d35c8d7f710a337fcbc4005158cbd974a518c9dc78f272e430952d4d4e767280e2554d4efbefac78ceddf80227091dc22e91958a102c95c0ee2dc2bf028748aa

Download Submit
memory/1696-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4688-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4688-676-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4688-684-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download