Malware Analysis Report

2025-01-03 08:51

Sample ID 240506-wxp5xage72
Target GandCrab.exe
SHA256 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
Tags
gandcrab backdoor defense_evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

Threat Level: Known bad

The file GandCrab.exe was found to be: Known bad.

Malicious Activity Summary

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Gandcrab

Deletes shadow copies

Renames multiple (269) files with added filename extension

Renames multiple (265) files with added filename extension

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-06 18:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 18:18

Reported

2024-05-06 18:20

Platform

win7-20240220-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (265) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AHBSBPPHF-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\BlockSend.3g2 C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\OutRead.m4a C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ShowNew.ppt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\2cedcdae2cedca406e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\MoveUninstall.kix C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\RenameMove.css C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\TestSearch.xht C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files\AHBSBPPHF-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ConvertToOut.emf C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\UninstallSkip.pps C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\GetDisconnect.M2TS C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\2cedcdae2cedca406e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\SkipInvoke.mpeg C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\SubmitUnpublish.odp C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\AHBSBPPHF-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\AHBSBPPHF-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\AHBSBPPHF-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files\2cedcdae2cedca406e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\UnblockSkip.wma C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\WatchRedo.aifc C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\UpdateSave.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\2cedcdae2cedca406e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\EnterProtect.wmx C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\JoinShow.asp C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ReceiveSave.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\2cedcdae2cedca406e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\CompressUndo.rtf C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\DenyUnpublish.bmp C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\MeasureClear.css C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\GandCrab.exe

"C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.kakaocorp.link udp

Files

memory/2500-5-0x0000000000400000-0x00000000052B3000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\AHBSBPPHF-MANUAL.txt

MD5 a1e9d9831b553943c73e573f52d4219a
SHA1 6a0b4e791e374ac8d1702c99d05ffddb004d920f
SHA256 4cc2b375e3201dfe041ccd34231c0807830f523840d8f6cb557015dc09fea3b3
SHA512 092b6318101dd5c8643d037ff09403acff3fedc635312a744fa0edd1ef41584ac2a91f91313dadb38b1ce8a0da186443c7977f2dd1f4403158ea2e64aa2c5896

memory/2500-45-0x0000000000400000-0x00000000052B3000-memory.dmp

memory/2500-689-0x0000000000400000-0x00000000052B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 18:18

Reported

2024-05-06 18:20

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"

Signatures

Gandcrab

ransomware backdoor gandcrab

Renames multiple (269) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\VBTQLKEC-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\55252d2455252aca6e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VBTQLKEC-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files\55252d2455252aca6e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\DenyEnter.mhtml C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ImportStart.pot C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\TraceSearch.dxf C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\55252d2455252aca6e.lock C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\CompressEdit.dib C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ConvertPing.vbe C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\PopJoin.bin C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\RepairSet.js C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ShowRepair.odp C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\ExpandSkip.eps C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\GroupDeny.mhtml C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\InitializeInvoke.ods C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\NewRename.docx C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\PingBlock.ex_ C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\RevokeResume.vssm C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\DisconnectSet.css C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\GroupResume.rar C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\MergeUnblock.potm C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File opened for modification C:\Program Files\SubmitRestore.dot C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
File created C:\Program Files (x86)\VBTQLKEC-MANUAL.txt C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\GandCrab.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\GandCrab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\GandCrab.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\GandCrab.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\GandCrab.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GandCrab.exe

"C:\Users\Admin\AppData\Local\Temp\GandCrab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4644 -ip 4644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1420

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.kakaocorp.link udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4644-1-0x0000000005590000-0x0000000005690000-memory.dmp

memory/4644-2-0x0000000000400000-0x000000000041B000-memory.dmp

C:\$Recycle.Bin\VBTQLKEC-MANUAL.txt

MD5 2212422fce2d32053102d572a7c67921
SHA1 e7536a10dd1fc1c38368aba04d1505946c741a14
SHA256 b9de69bff8e97de43506d505fcf1e22d852b09a4ca0781c2bc5f2a736d0655ed
SHA512 a04537e4f552f03883455fe93decf9b560f69241868d60cbe0ee59ac355cdc62edf23d729ee57aef0a9a71d1dd3fb92d48ec62b8408157569cc67e726fee6c9b

memory/4644-710-0x0000000000400000-0x00000000052B3000-memory.dmp

memory/4644-713-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4644-712-0x0000000000400000-0x00000000052B3000-memory.dmp