gandcrab | d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

System Information Discovery

Processes:

GandCrab.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	GandCrab.exe

Drops startup file 2 IoCs

Processes:

GandCrab.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OIMJS-DECRYPT.html	GandCrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6772bc916772bb7f49.lock	GandCrab.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

GandCrab.exe

description	ioc	process
File opened (read-only)	\??\Q:	GandCrab.exe
File opened (read-only)	\??\B:	GandCrab.exe
File opened (read-only)	\??\E:	GandCrab.exe
File opened (read-only)	\??\N:	GandCrab.exe
File opened (read-only)	\??\W:	GandCrab.exe
File opened (read-only)	\??\X:	GandCrab.exe
File opened (read-only)	\??\Y:	GandCrab.exe
File opened (read-only)	\??\A:	GandCrab.exe
File opened (read-only)	\??\I:	GandCrab.exe
File opened (read-only)	\??\J:	GandCrab.exe
File opened (read-only)	\??\P:	GandCrab.exe
File opened (read-only)	\??\T:	GandCrab.exe
File opened (read-only)	\??\V:	GandCrab.exe
File opened (read-only)	\??\G:	GandCrab.exe
File opened (read-only)	\??\H:	GandCrab.exe
File opened (read-only)	\??\O:	GandCrab.exe
File opened (read-only)	\??\R:	GandCrab.exe
File opened (read-only)	\??\S:	GandCrab.exe
File opened (read-only)	\??\U:	GandCrab.exe
File opened (read-only)	\??\Z:	GandCrab.exe
File opened (read-only)	\??\K:	GandCrab.exe
File opened (read-only)	\??\L:	GandCrab.exe
File opened (read-only)	\??\M:	GandCrab.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

GandCrab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	GandCrab.exe

Drops file in Program Files directory 28 IoCs

Processes:

GandCrab.exe

description	ioc	process
File opened for modification	C:\Program Files\BlockSuspend.fon	GandCrab.exe
File opened for modification	C:\Program Files\FormatDismount.vdx	GandCrab.exe
File created	C:\Program Files (x86)\OIMJS-DECRYPT.html	GandCrab.exe
File opened for modification	C:\Program Files\EnableRepair.wm	GandCrab.exe
File opened for modification	C:\Program Files\ReceiveDisconnect.vdx	GandCrab.exe
File opened for modification	C:\Program Files\RepairReceive.xlsb	GandCrab.exe
File opened for modification	C:\Program Files\ResetInitialize.raw	GandCrab.exe
File opened for modification	C:\Program Files\TestPop.ppt	GandCrab.exe
File opened for modification	C:\Program Files\MoveMount.M2T	GandCrab.exe
File opened for modification	C:\Program Files\RequestGroup.xla	GandCrab.exe
File opened for modification	C:\Program Files\InstallConvert.xml	GandCrab.exe
File opened for modification	C:\Program Files\SearchDismount.search-ms	GandCrab.exe
File created	C:\Program Files\OIMJS-DECRYPT.html	GandCrab.exe
File created	C:\Program Files\6772bc916772bb7f49.lock	GandCrab.exe
File opened for modification	C:\Program Files\CheckpointTest.mpeg3	GandCrab.exe
File opened for modification	C:\Program Files\CompleteConvertTo.vst	GandCrab.exe
File opened for modification	C:\Program Files\GroupSearch.temp	GandCrab.exe
File opened for modification	C:\Program Files\PushHide.dwfx	GandCrab.exe
File opened for modification	C:\Program Files\FormatCopy.dxf	GandCrab.exe
File opened for modification	C:\Program Files\UpdateLimit.kix	GandCrab.exe
File created	C:\Program Files (x86)\6772bc916772bb7f49.lock	GandCrab.exe
File opened for modification	C:\Program Files\CloseRestore.svg	GandCrab.exe
File opened for modification	C:\Program Files\DenyPing.mp4	GandCrab.exe
File opened for modification	C:\Program Files\DisconnectSwitch.mov	GandCrab.exe
File opened for modification	C:\Program Files\SuspendRename.png	GandCrab.exe
File opened for modification	C:\Program Files\WaitRedo.dib	GandCrab.exe
File opened for modification	C:\Program Files\AssertMeasure.ps1xml	GandCrab.exe
File opened for modification	C:\Program Files\CheckpointEnter.vbe	GandCrab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

GandCrab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GandCrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	GandCrab.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

GandCrab.exe

pid process

3872 GandCrab.exe
3872 GandCrab.exe
3872 GandCrab.exe
3872 GandCrab.exe

pid	process
3872	GandCrab.exe
3872	GandCrab.exe
3872	GandCrab.exe
3872	GandCrab.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3816	wmic.exe
Token: SeSecurityPrivilege	3816	wmic.exe
Token: SeTakeOwnershipPrivilege	3816	wmic.exe
Token: SeLoadDriverPrivilege	3816	wmic.exe
Token: SeSystemProfilePrivilege	3816	wmic.exe
Token: SeSystemtimePrivilege	3816	wmic.exe
Token: SeProfSingleProcessPrivilege	3816	wmic.exe
Token: SeIncBasePriorityPrivilege	3816	wmic.exe
Token: SeCreatePagefilePrivilege	3816	wmic.exe
Token: SeBackupPrivilege	3816	wmic.exe
Token: SeRestorePrivilege	3816	wmic.exe
Token: SeShutdownPrivilege	3816	wmic.exe
Token: SeDebugPrivilege	3816	wmic.exe
Token: SeSystemEnvironmentPrivilege	3816	wmic.exe
Token: SeRemoteShutdownPrivilege	3816	wmic.exe
Token: SeUndockPrivilege	3816	wmic.exe
Token: SeManageVolumePrivilege	3816	wmic.exe
Token: 33	3816	wmic.exe
Token: 34	3816	wmic.exe
Token: 35	3816	wmic.exe
Token: 36	3816	wmic.exe
Token: SeIncreaseQuotaPrivilege	3816	wmic.exe
Token: SeSecurityPrivilege	3816	wmic.exe
Token: SeTakeOwnershipPrivilege	3816	wmic.exe
Token: SeLoadDriverPrivilege	3816	wmic.exe
Token: SeSystemProfilePrivilege	3816	wmic.exe
Token: SeSystemtimePrivilege	3816	wmic.exe
Token: SeProfSingleProcessPrivilege	3816	wmic.exe
Token: SeIncBasePriorityPrivilege	3816	wmic.exe
Token: SeCreatePagefilePrivilege	3816	wmic.exe
Token: SeBackupPrivilege	3816	wmic.exe
Token: SeRestorePrivilege	3816	wmic.exe
Token: SeShutdownPrivilege	3816	wmic.exe
Token: SeDebugPrivilege	3816	wmic.exe
Token: SeSystemEnvironmentPrivilege	3816	wmic.exe
Token: SeRemoteShutdownPrivilege	3816	wmic.exe
Token: SeUndockPrivilege	3816	wmic.exe
Token: SeManageVolumePrivilege	3816	wmic.exe
Token: 33	3816	wmic.exe
Token: 34	3816	wmic.exe
Token: 35	3816	wmic.exe
Token: 36	3816	wmic.exe
Token: SeBackupPrivilege	5100	vssvc.exe
Token: SeRestorePrivilege	5100	vssvc.exe
Token: SeAuditPrivilege	5100	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

GandCrab.exe

description	pid	process	target process
PID 3872 wrote to memory of 3816	3872	GandCrab.exe	wmic.exe
PID 3872 wrote to memory of 3816	3872	GandCrab.exe	wmic.exe
PID 3872 wrote to memory of 3816	3872	GandCrab.exe	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\GandCrab.exe
"C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

3

System Information Discovery

4

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement