Overview
overview
10Static
static
10ransomware...3n.exe
windows7-x64
ransomware...3n.exe
windows10-2004-x64
ransomware...le.exe
windows7-x64
ransomware...le.exe
windows10-2004-x64
ransomware...it.exe
windows7-x64
10ransomware...it.exe
windows10-2004-x64
10ransomware...le.exe
windows10-2004-x64
10ransomware... 5.exe
windows7-x64
10ransomware... 5.exe
windows10-2004-x64
10ransomware...de.exe
windows7-x64
10ransomware...de.exe
windows10-2004-x64
10ransomware...ck.exe
windows7-x64
7ransomware...ck.exe
windows10-2004-x64
7ransomware...ye.exe
windows7-x64
6ransomware...ye.exe
windows10-2004-x64
6ransomware...ap.exe
windows7-x64
6ransomware...ap.exe
windows10-2004-x64
6ransomware...ya.exe
windows7-x64
6ransomware...ya.exe
windows10-2004-x64
6ransomware...om.exe
windows7-x64
10ransomware...om.exe
windows10-2004-x64
10ransomware...ab.exe
windows7-x64
10ransomware...ab.exe
windows10-2004-x64
10ransomware...ye.exe
windows7-x64
10ransomware...ye.exe
windows10-2004-x64
10ransomware...ni.exe
windows7-x64
10ransomware...ni.exe
windows10-2004-x64
10ransomware...pt.exe
windows7-x64
10ransomware...pt.exe
windows10-2004-x64
10ransomware...ya.exe
windows7-x64
7ransomware...ya.exe
windows10-2004-x64
7ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
148s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
ransomwares/Birele/Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
ransomwares/Darkside/Darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
ransomwares/Darkside/Darkside.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240215-en
Behavioral task
behavioral15
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win7-20231129-en
Behavioral task
behavioral17
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
ransomwares/Fantom/Fantom.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
ransomwares/Fantom/Fantom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win7-20240215-en
Behavioral task
behavioral25
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral26
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral30
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral32
Sample
ransomwares/Krotten/Krotten.exe
Resource
win7-20240220-en
General
-
Target
ransomwares/GandCrab/GandCrab.exe
-
Size
424KB
-
MD5
95557a29de4b70a25ce62a03472be684
-
SHA1
5baabf2869278e60d4c4f236b832bffddd6cf969
-
SHA256
49b769536224f160b6087dc866edf6445531c6136ab76b9d5079ce622b043200
-
SHA512
79b78cf77926e0d8b424ad9984f72d4461c7d9e7af58c4e2af32fa7c58cc445c534228b0709b87f5e35e1c8793b3d028dc60787151d852b8524023d08b57f103
-
SSDEEP
6144:/UGV83D35bJrqV2L/E0tA+j16kUef5Nj1mB9WjEw0tzMV:qvmVe9h1qEtkBzw0tQ
Malware Config
Extracted
F:\$RECYCLE.BIN\ZVXSMBAAIR-DECRYPT.txt
http://gandcrabmfe6mnef.onion/599df0f1a8c0e3e
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (240) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ZVXSMBAAIR-DECRYPT.txt wermgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1a8c09d31a8c0e3b719.lock wermgr.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: wermgr.exe File opened (read-only) \??\K: wermgr.exe File opened (read-only) \??\L: wermgr.exe File opened (read-only) \??\X: wermgr.exe File opened (read-only) \??\Z: wermgr.exe File opened (read-only) \??\Y: wermgr.exe File opened (read-only) \??\A: wermgr.exe File opened (read-only) \??\E: wermgr.exe File opened (read-only) \??\H: wermgr.exe File opened (read-only) \??\P: wermgr.exe File opened (read-only) \??\S: wermgr.exe File opened (read-only) \??\V: wermgr.exe File opened (read-only) \??\W: wermgr.exe File opened (read-only) \??\J: wermgr.exe File opened (read-only) \??\M: wermgr.exe File opened (read-only) \??\N: wermgr.exe File opened (read-only) \??\G: wermgr.exe File opened (read-only) \??\I: wermgr.exe File opened (read-only) \??\O: wermgr.exe File opened (read-only) \??\Q: wermgr.exe File opened (read-only) \??\R: wermgr.exe File opened (read-only) \??\T: wermgr.exe File opened (read-only) \??\U: wermgr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" wermgr.exe -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\SendShow.rar wermgr.exe File opened for modification C:\Program Files\ConfirmRequest.vstm wermgr.exe File opened for modification C:\Program Files\FormatApprove.mpe wermgr.exe File opened for modification C:\Program Files\PopAssert.docm wermgr.exe File opened for modification C:\Program Files\ProtectWrite.potx wermgr.exe File opened for modification C:\Program Files\ResizeSet.rar wermgr.exe File opened for modification C:\Program Files\RequestPublish.ppt wermgr.exe File opened for modification C:\Program Files\RestoreBlock.M2T wermgr.exe File opened for modification C:\Program Files\RevokeUninstall.mpg wermgr.exe File created C:\Program Files\ZVXSMBAAIR-DECRYPT.txt wermgr.exe File opened for modification C:\Program Files\DismountBlock.avi wermgr.exe File opened for modification C:\Program Files\EditLimit.ADT wermgr.exe File opened for modification C:\Program Files\JoinSuspend.cfg wermgr.exe File opened for modification C:\Program Files\MoveCheckpoint.mpv2 wermgr.exe File opened for modification C:\Program Files\SaveStep.au wermgr.exe File created C:\Program Files\1a8c09d31a8c0e3b719.lock wermgr.exe File opened for modification C:\Program Files\BackupTest.emf wermgr.exe File opened for modification C:\Program Files\UnlockDisable.css wermgr.exe File created C:\Program Files (x86)\1a8c09d31a8c0e3b719.lock wermgr.exe File opened for modification C:\Program Files\CompareJoin.mhtml wermgr.exe File opened for modification C:\Program Files\CompletePush.xps wermgr.exe File opened for modification C:\Program Files\WatchConvert.aiff wermgr.exe File created C:\Program Files (x86)\ZVXSMBAAIR-DECRYPT.txt wermgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3920 wermgr.exe 3920 wermgr.exe 3920 wermgr.exe 3920 wermgr.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4388 wmic.exe Token: SeSecurityPrivilege 4388 wmic.exe Token: SeTakeOwnershipPrivilege 4388 wmic.exe Token: SeLoadDriverPrivilege 4388 wmic.exe Token: SeSystemProfilePrivilege 4388 wmic.exe Token: SeSystemtimePrivilege 4388 wmic.exe Token: SeProfSingleProcessPrivilege 4388 wmic.exe Token: SeIncBasePriorityPrivilege 4388 wmic.exe Token: SeCreatePagefilePrivilege 4388 wmic.exe Token: SeBackupPrivilege 4388 wmic.exe Token: SeRestorePrivilege 4388 wmic.exe Token: SeShutdownPrivilege 4388 wmic.exe Token: SeDebugPrivilege 4388 wmic.exe Token: SeSystemEnvironmentPrivilege 4388 wmic.exe Token: SeRemoteShutdownPrivilege 4388 wmic.exe Token: SeUndockPrivilege 4388 wmic.exe Token: SeManageVolumePrivilege 4388 wmic.exe Token: 33 4388 wmic.exe Token: 34 4388 wmic.exe Token: 35 4388 wmic.exe Token: 36 4388 wmic.exe Token: SeIncreaseQuotaPrivilege 4388 wmic.exe Token: SeSecurityPrivilege 4388 wmic.exe Token: SeTakeOwnershipPrivilege 4388 wmic.exe Token: SeLoadDriverPrivilege 4388 wmic.exe Token: SeSystemProfilePrivilege 4388 wmic.exe Token: SeSystemtimePrivilege 4388 wmic.exe Token: SeProfSingleProcessPrivilege 4388 wmic.exe Token: SeIncBasePriorityPrivilege 4388 wmic.exe Token: SeCreatePagefilePrivilege 4388 wmic.exe Token: SeBackupPrivilege 4388 wmic.exe Token: SeRestorePrivilege 4388 wmic.exe Token: SeShutdownPrivilege 4388 wmic.exe Token: SeDebugPrivilege 4388 wmic.exe Token: SeSystemEnvironmentPrivilege 4388 wmic.exe Token: SeRemoteShutdownPrivilege 4388 wmic.exe Token: SeUndockPrivilege 4388 wmic.exe Token: SeManageVolumePrivilege 4388 wmic.exe Token: 33 4388 wmic.exe Token: 34 4388 wmic.exe Token: 35 4388 wmic.exe Token: 36 4388 wmic.exe Token: SeBackupPrivilege 4916 vssvc.exe Token: SeRestorePrivilege 4916 vssvc.exe Token: SeAuditPrivilege 4916 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3920 4920 GandCrab.exe 95 PID 4920 wrote to memory of 3920 4920 GandCrab.exe 95 PID 4920 wrote to memory of 3920 4920 GandCrab.exe 95 PID 4920 wrote to memory of 3920 4920 GandCrab.exe 95 PID 4920 wrote to memory of 3920 4920 GandCrab.exe 95 PID 3920 wrote to memory of 4388 3920 wermgr.exe 103 PID 3920 wrote to memory of 4388 3920 wermgr.exe 103 PID 3920 wrote to memory of 4388 3920 wermgr.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"C:\Users\Admin\AppData\Local\Temp\ransomwares\GandCrab\GandCrab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51bb954406287236dc63615630f96ccb5
SHA1603f0bc138c94e74718e25739f7e23ee7639e34c
SHA2561e2daaee0b796a7f618fa9fd21b7c3b80d61ffb60ec3125422ffac1c3996b1c3
SHA512e58348d31299ca90f70b609be3a123507522c205e5ef7947847a949edeea650662308df5e0df3d9381e1f6696fcf3b64a2dd505e8a5601db7ffe130d71de6cfd